Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 040Smart Contract Bug

Alchemix Reverse Rug

A deployment script bug created phantom Alchemix vaults that misdirected $6.5M in rewards to pay off users' debts. The team froze minting within 15 minutes.

Date
Victim
Alchemix
Chain(s)
Ethereum
Status
Partially Recovered

On June 16, 2021, the self-repaying-loan protocol Alchemix experienced what became known as a "reverse rug pull": a deployment-script bug caused approximately $6.5 million in reward funds to flow to the wrong vault, where they accidentally paid off users' alETH debts. Users could then withdraw their ETH collateral without repaying their loans — receiving free money at the protocol's expense rather than the other way around. The team froze the mint function within 15 minutes.

What happened

Alchemix's mechanism: users deposit ETH (or other collateral), borrow against it in the form of self-repaying tokens like alETH, and over time the protocol's yield strategies generate returns that automatically repay the loan through a "transmuter" reward distribution.

The bug was not in the lending or reward-accrual logic — both worked correctly. The bug was in the deployment script that created the alETH vault. The script accidentally created additional phantom vaults beyond the intended one and placed them in the array of vaults the Alchemist contract iterated over when distributing transmuter rewards.

When the contract calculated which vault should receive each reward, it used the incorrect index into the vault array — directing transmuter funds (which should have stayed in the reward pool) into the alETH vault, where they paid off users' outstanding alETH debts automatically.

For users holding alETH positions:

  1. Their loans were silently paid down by misrouted reward funds.
  2. The Alchemist contract registered their debt as fulfilled.
  3. They could withdraw their original ETH collateral without repaying anything themselves.

Total over the affected window: approximately $6.5 million in unintended user benefit.

Aftermath

  • The Alchemix team identified the issue and, 15 minutes later, executed an emergency pause on the alETH mint function.
  • A coordinated effort with Yearn Finance engineers produced a contract fix and a redeployment plan.
  • The team published a detailed post-mortem and announced a recovery plan funded from protocol revenue.
  • Many users who had benefited from the bug voluntarily returned the windfall after the team's public appeal. A meaningful fraction did not.

Why it matters

The Alchemix incident is one of the rarer DeFi cases where the loss flowed to users rather than from them — a counter-example to the standard "smart contract bug = attacker wins" pattern. The structural lesson is the same one repeated across DeFi history: deployment scripts are part of the protocol, and bugs in them can be as economically damaging as bugs in the contracts themselves.

Specific structural lessons:

  • Vault arrays should be initialised with explicit assertions about expected length and content, with the contract reverting deployment if the actual values don't match.
  • Post-deployment verification scripts should enumerate every state variable and compare against expected values before any user interaction is allowed.
  • The 15-minute response time is the success story embedded in the incident: it took Alchemix that long to identify, diagnose, and pause the problem — a benchmark that has since become the floor for serious DeFi protocol response capability.

The "reverse rug" framing also became a recurring meme in the DeFi-Twitter security community: a useful reminder that smart contract bugs can be economically neutral or even positive for individual users, with the cost absorbed by the protocol's other stakeholders rather than the people who notice the bug first.

Sources & on-chain evidence

  1. [01]cryptonews.nethttps://cryptonews.net/news/defi/818795/
  2. [02]coindesk.comhttps://www.coindesk.com/tech/2021/06/16/free-money-bug-hits-defi-platform-alchemix
  3. [03]halborn.comhttps://halborn.com/explained-the-alchemix-reverse-rug-pull-june-2021/

Related filings