Alpha Capital, a DeFi staking platform, has recently reported that it has lost 90% of all investor funds due to a hack. However, there were many red flags that indicated the hack was in fact an inside job, suggesting a rug pull. As investors, it is important to understand subtle signs of unsustainable DeFi models, so that we can avoid future scams.
Unsustainable DeFi Model of Alpha Capital
Launched in November 2022, Alpha Capital’s main product offers a 1%-1.5% daily compound interest on BNB, BUSD, MATIC, and USDC staked on their website through MetaMask, Ledger, and other crypto wallets. However, there is a 5% fee on every deposit, and users would lose their interest if a withdrawal is made 31 days since their deposit. These are the contract addresses controlled by Alpha Capital:
BNB contract on BSC chain: 0xe4018566D1A3178B3b664D0406215096b7a2533B
BUSD contract on BSC chain: 0x95b5dC0B8bd219Cb85181c35e84968E900eF497
MATIC contract on Polygon chain: 0x95b5dC0B8bd219Cb85181c35e84968E900eF4971
USDC contract on Polygon chain: 0x5b7B9B51D2526E832A4D2A6603b1AdCf6Bd8d841
Although a 1%-1.5% interest may not sound a lot, it is compounded daily. This model is similar to the UST yields of Anchor Protocol that played a big part in the collapse of Terra Luna. Additionally, the fact that investors are practically forced to leave their funds for a month gives plenty of time for all sorts of exploits.
How Did Alpha Capital Get Hacked?
Alpha Capital had a wallet for “insurance fund” where they were putting a small percentage of the yields and deposit funds into it. After the hack, they announced on their Telegram channel that while attempting to create an Application Programming Interface (API) on their website for the insurance fund wallet, a hacker managed to access the File Transfer Protocol (FTP) of their website. As a result, the hacker was able to steal their private keys, making off with roughly 90% of the funds. Alpha Capital was able to save the remaining 10% of the funds worth $250,000, and refunded them to investors in USDC via MATIC.
Several community members criticized Alpha Capital’s incompetence in security protocols, as using FTP alone is not a secure way to transfer files. However, some pointed out that FTP is particularly vulnerable to brute-force attack, which involves guessing passwords, suggesting an inside job is likely to be the case.