Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens

Alpha Homora is our 23rd project audit in 2 months. We have to say, most of them end up being positive/adding improvements after the review goes out, and we can’t be happier about it. It means that the industry is perceived seriously, rather than being a way to scam people and steal funds.

In our audits among other things we look for the functions/hints if the project retains the ability of scamming its investors including

• Infinite minting,
• Anti-rug pool functions,
• Minting Exploits,
• Liquidity pooled,
• Transfer Allowlist,
• Owner tampering,
• Backdoor library.

So, back to Alpha Homora. Same as we did previously with YFFS and Deus, we are writing this article to inform the Community about the concerns we have about this project. As a premise, we would directly say that it seems like they are hiding. But let’s start from the beginning.

As it often happens, everything started on Twitter, where we were warning our audience about some alarming functions we found during our Alpha Homora audit.

As the community awareness grew, and people started commenting on the matter, Alpha team decided to manage this by simply banning those raising questions.

Also, if somebody mentions ‘’De.Fi’’ in their group — that’s an instant ban. Don’t believe us? Go try, and see.

This is a huge red flag for us. Some of the stuff people were saying about the situation:
Nealan Smith in De.Fi 🧑‍🌾🚜
i got banned from the group of Alpha Lab for linking this article

Links: https://t.me/DeDotFi/15884 & https://archive.vn/0bqbE

Dan Smith in De.Fi 🧑‍🌾🚜
i invest in $alpha and i wanted to ask clarification to the Alpha team

Links: https://t.me/DeDotFi/15909 & https://archive.vn/qrCEX

Other investigators also started posting about the matter and their concerns, further sharing the information about the fact that the scam probability is very high.

Then finally the project reverted with some answers and vague explanations about the gradual decentralization. Of course, with some users (or bots?) commenting on how transparent the project is, no news.

Several points from us
1. What you are doing is unprofessional. If you want to learn more about these points, you should have contacted us and learn about the rational behind the decision before just outright screaming exit ASAP.

See more below

— Stella💫️️ | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) November 17, 2020

For the record, here are some concerns we stated in my audit before :

Initially, there was a huge pre-mine of 1,000,000 ERC20 ALPHA tokens to a wallet marked as Alpha Deployer (regular wallet, 0x1AAf4143C3Fe0D7CA78381C4672E4b08C4Bc009F). All of these further were transferred to the EOA wallet (0x9FDcdA036b26176B548D40918D04E0E764b456e1).

You can find the transaction by the link: https://etherscan.io/tx/0x227d26cf193c0679dc5f1948683c90b65b4e4cc175520841cbb527a2db2bfc83.

As it stands, 96% ($145 million, at the current market price) !!! of the total token supply remains in that wallet — https://etherscan.io/address/0x9FDcdA036b26176B548D40918D04E0E764b456e1.

This definitely brings a risk of the token price collapse in the scenario where the holder decides to withdraw.

Next, we followed up on the vague response from Alpha with some of our other concerns, highlighting that the team failed to communicate to their community about the centralized nature of the project (“gradual decentralization”? Seriously? Should we call it GraDeFi from now on?), and the fact that whoever has access to the top holder wallet, can dump the token at any time.

Also, do we now all need to ban those asking questions — if we are not ready to give the answers? If there is nothing to hide, why get rid of such comments?

Later the Alpha team published a blog post. Well, nothing explained really.

This is what they told about over a hundred million dollar worth of tokens held on a single wallet:

1. First point on 96% of the token supply in a wallet:

This is genesis minting, generating all supply on *both* Ethereum and Binance Smart Chain. Currently, a fully decentralized cross-chain bridge does not exist at the moment so we need to rely on a more centralized approach.

— Stella💫️️ | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) November 18, 2020

1.1 The biggest holder on Ethereum (964,300,000 ALPHA) is the locked token and can only be unlocked when ALPHA token on Binance Smart Chain (BSC) is transferred to the same address. This is how cross-chain functionality can be deployed on BSC, and how ALPHA can be on both chains.

— Stella💫️️ | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) November 18, 2020

1.2 This means that the 964M on the Ethereum side is only a placeholder for when users “lock” (or send the BSC ALPHA to the Ethereum address) and “unlock” the Ethereum side.

— Stella💫️️ | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) November 18, 2020

Lots of words, little sense. Whatever the system behind their centralization, if the funds are easily accessed like this, there is always a big risk of them being sold.

Basically, they didn’t address the issue and further provided only misleading information.

We’d like to share our response to the misrepresented information from @defiyield_info, as Defiyield does not fully understand the rationale which they would have had they reach out to discuss 👇https://t.co/GDyugxDM7f

— Stella💫️️ | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) November 18, 2020

After our response to them on Twitter, the team stopped responding to the allegations, and haven’t addressed them anywhere. Since then we mentioned them a few times, and received not a single care in the world.

We would say they are hiding somewhere, and it poses serious concerns.

On that note, let’s get to the fun part. We will provide a detailed report with the proof that the tokens held on that holder’s wallet is under a risk, and that the investors are exposed.

If you wanna stay safe and be up to date — subscribe to our newsletter! We will send you our DeFi Security Handbook straightaway. In the ebook we explain how to stay safe, what are we paying attention to while auditing projects and what should you do to not get REKT. You can expect insights, interesting content and updates from us.

💣 The Alpha Team has the ability to move 96% of the tokens anytime: how so?

1. 0x9fdcda036b26176b548d40918d04e0e764b456e1 — Top holder of ERC-20 Alpha token. This address is just a regular address. Technically it does not have any restrictions on token transfers, so any token that is stored on that address can be transferred anywhere/anytime the owner decides to.
2. Alpha Token source code

From the screenshot above we can see that in the ERC-20 Alpha token smart contract the function Transfer uses standard ERC-20 _transfer. So ERC-20 Alpha are usual ERC-20 tokens without any restrictions about how tokens can be transferred etc. Proofs of that you can check here: bloxy. By the link, there listed all of the transactions from 0x9fdcda036b26176b548d40918d04e0e764b456e1.

Below we will add a screenshot of the last transaction. As you can see from that screenshot, the transfer went without any additional checks or something like that.

0x9fdcda036b26176b548d40918d04e0e764b456e1 initiated transfer to the 0x92841bebabe89d3c5e0d5129f19779bdfe3cd9e4 and it was done without any problems.

Example transaction:
https://bloxy.info/tx/0x59367952fc647b85fe9f9339928a964ec78a19adc40af0a15d37aafb8d1b3693

With that info we can see that the owner of 0x9fdcda036b26176b548d40918d04e0e764b456e1 wallet can take the funds from that wallet and transfer them anywhere they want.

1. We also considered their comments regarding the use of Alpha tokens on Binance Chain, not only the ERC20.

First, take a look at the Alpha Token top holder token transactions on the Ethereum mainnet:

And then — at the transactions on the same address on BSC mainnet:

Let us now explain: Alpha claims that the top ERC20 tokens holder cannot move the tokens, unless received the same amounts to its vis-a-vis on the Binance chain.

As we can see on this screenshot there were somewhat similar transactions (IN transactions on BSC followed by OUT transactions on ETH) in the way as it was described by Alpha Finance Lab in their Tweet. But this is only at first glance. Let’s take a closer look at the transactions — and the time of those transactions.

1. The top holder was initially able to send the tokens in and out over 50 days ago.

These seem to be some test in/out transfers of ERC-20 Alpha tokens to that wallet on the beginning of the project, but on the BCS version of that wallet there weren’t any such transfers (but there should’ve been according to the info from their tweet).

1. Transactions on Ethereum took place

way before the transaction on Binance Chain

At the same time Alpha claims that to unlock an amount of ERC-20 Alpha tokens on 0x9fdcda036b26176b548d40918d04e0e764b456e1 they first need to send such amount to the BSC wallet with same address 0x9fdcda036b26176b548d40918d04e0e764b456e1.

But when we take a closer look we can see that OUTCOMING ERC-20 transactions were earlier than INCOMING transactions of BEP-20 token.

All that info shows that the tokens on 0x9fdcda036b26176b548d40918d04e0e764b456e1 are not locked in any way, and can be transferred to any address anytime and/or sold.

In addition there is another thing we find interesting.

When looking at a token, normally, as a potential investment asset, one considers among other things its liquidity in the market.

Now to the point:

1. At the moment of writing the 24hr trading volume on Alpha token is $40M, including $8M on Uniswap only. Nice, eh?
2. Now look closer at the Uniswap pool volumes in creation: etherscan.io

1. By this bytecoded smart contract: 0xb5613129117cf464b63fea37e91789fb45f39826

1. Alpha team mentioned doing this to pass the 0.3% to liquidity providers as an ‘airdrop’, to save on users’ gas fees spent on claiming the tokens. But this action totally fakes the info about the Uniswap trading volume, so it is not clear for me.
2. Our questions here are:
3. whether this should be categorized as an ‘airdrop’ — or plain and simple, wash trading?
4. should we remain confident in the rest of the $40M trading volume on the token? (remember the supply is centralized and concentrated).

🤔 What’s the bottom line?

Since the initial findings were published, Alpha Homora team has made no effort to move into a more decentralized direction. As soon as it has been pointed out, we have witnessed multiple people being banned, accompanied by some lazy excuses.

For me, there are more than enough red flags on that project, and we hope you have sufficient information now to make your own smart decisions. Our advice is to stay away and withdraw the funds immediately if you have something invested in Alpha Homora. The team is now hiding, and has no response to the allegations. Better safe than sorry, especially considering that there is a huge chance of being sorry with this project.

Few words on a larger scale.

Remember what was the case with YFFS and Deus? Upon finding the vulnerability they went on and fixed that, becoming a project we can trust. However, until there are platforms like Alpha Homora, I think there is no chance for the DeFi industry to be long-lasting.

After losing money or even simply reading about scams in the news, who would even think about supporting the industry? We need more trustworthy projects, and we need even more of those that admit to their code vulnerabilities and fix them.

Update of 22 December:

In the beginning, 934 800 003.00 ALPHA (around 98%) were stored in 0x580ce7b92f185d94511c9636869d28130702f68e contract, which is a Gnosis safe multisig wallet of the devs team. Here is the reference.

Owners of the multisig wallet are:

• 0x8bE640413AE82482E7eFB82f10a027C0d43e0ccE (without tx`s)
• 0x9Ea3472918b653666114546389fB64CD07c81e23 (without tx`s)
• 0xB593d82d53e2c187dc49673709a6E9f806cdC835 (EOA)
• 0xF77FaEe35e0D3683C0006c3AFA2992f0E66cD8B5 (EOA)
• 0x9FDcdA036b26176B548D40918D04E0E764b456e1 (EOA)

Only 3 out of 5 members need to sign a transaction for its execution (according to Gnosis safe Policies). None of the Gnosis safe`s safe modules were implemented into this multisig.

We need to understand that from the holders’ point of view, the wallet functions like a simple EOA on the Ethereum mainnet, because there is no guarantee that it can’t be controlled by anyone. That five addresses could be owned by one person, which would make Alpha Homora fully centralized and contradict the main principles of DeFi.

If we look closer to transactions executed by this multisig, we can find out the next problems:

1. *https://etherscan.io/tx/0xb4281c0e5cab00aee3329dd33ec6362c7d53148bf07b00c8d4fd5d34bbb51551*

By this transaction, a dev EOA transfers 1M ALPHA to an unpublished smart contract. No one knows what that contract is. Let’s look closer at this transaction:

The transaction was executed without any timelock, and featured the transfer of 1M ALPHA directly from the EOA to the unpublished contract.

1. Another example: *https://etherscan.io/tx/0x195bd8e8862a3ef805eadac971619b6831e2f0ffdc424543a1a1a23cad9ad09b*

The OEA owner transferred 19,999,999 ALPHA from the Gnosis wallet to another EOA wallet, and then sent the token amount to Binance.
*https://etherscan.io/address/0x54B65C69F88860190895D36AFa22F4144f2DcCBe#tokentxns*

The transaction digitalization:

Again, the direct execution of the transfer into the EOA address.

According to the facts mentioned above, the devs team could transfer any portion of the 98% token supply anytime, to any address, and without any restrictions. In my opinion, this states as a possible rug pull. If the devs decide to sell 98% of tokens today, they will harvest all liquidity from the tokens instantly. Who knows how much holders’ funds have been already stolen.

Have comments or opinions? Let us know!

Check out other articles from the Saga series:

• The Deus Finance Saga
• The YFFS Saga
• The Bundles Finance Saga

Check our guides:

Solana Network Ultimate Yield Farming Guide [Infographics]
Fantom Network Ultimate Yield Farming Guide [Infographics]
Huobi ECO Chain Ultimate Guide for Yield Farming
Polygon Network Ultimate Guide for Yield Farming
Binance Chain Ultimate Guide for Yield Farming

And join us on Twitter and Telegram!

Good luck in farming!