Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens

Alpha Homora is my 23rd project audit in 2 months. I have to say, most of them end up being positive/adding improvements after the review goes out, and I can’t be happier about it. It means that the industry is perceived seriously, rather than being a way to scam people and steal funds.

In my audits among other things I look for the functions/hints if the project retains the ability of scamming its investors including

  • Infinite minting,
  • Anti-rug pool functions,
  • Minting Exploits,
  • Liquidity pooled,
  • Transfer Allowlist,
  • Owner tampering,
  • Backdoor library.

So, back to Alpha Homora. Same as I did previously with YFFS and Deus, I am writing this article to inform the Community about the concerns I have about this project. As a premise, I would directly say that it seems like they are hiding. But let’s start from the beginning.

As it often happens, everything started on Twitter, where I was warning my audience about some alarming functions I found during my Alpha Homora audit.

https://twitter.com/defiyield_info/status/1328717481117175809?s=20 / https://archive.is/QXIl8

As the community awareness grew, and people started commenting on the matter, Alpha team decided to manage this by simply banning those raising questions.

Also, if somebody mentions ‘’Defiyield’’ in their group — that’s an instant ban. Don’t believe me? Go try, and see.

This is a huge red flag for me. Some of the stuff people were saying about the situation:

Links: https://t.me/defiyield_info/15884 / https://archive.vn/0bqbE

Links: https://t.me/defiyield_info/15909 / https://archive.vn/qrCEX

Other investigators also started posting about the matter and their concerns, further sharing the information about the fact that the scam probability is very high.

https://twitter.com/WARONRUGS/status/1328768377670819840?s=20 / https://archive.vn/KYHTe

Then finally the project reverted with some answers and vague explanations about the gradual decentralization. Of course, with some users (or bots?) commenting on how transparent the project is, no news.

https://twitter.com/AlphaFinanceLab/status/1328733842392268800?s=20 / https://archive.vn/Z9EIy

For the record, here are some concerns I stated in my audit before :

Initially, there was a huge pre-mine of 1,000,000 ERC20 ALPHA tokens to a wallet marked as Alpha Deployer (regular wallet, 0x1AAf4143C3Fe0D7CA78381C4672E4b08C4Bc009F). All of these further were transferred to the EOA wallet (0x9FDcdA036b26176B548D40918D04E0E764b456e1).

You can find the transaction by the link: https://etherscan.io/tx/0x227d26cf193c0679dc5f1948683c90b65b4e4cc175520841cbb527a2db2bfc83.

As it stands, 96% ($145 million, at the current market price) !!! of the total token supply remains in that wallet — https://etherscan.io/address/0x9FDcdA036b26176B548D40918D04E0E764b456e1.

This definitely brings a risk of the token price collapse in the scenario where the holder decides to withdraw.

Next, I followed up on the vague response from Alpha with some of my other concerns, highlighting that the team failed to communicate to their community about the centralized nature of the project (“gradual decentralization”? Seriously? Should we call it GraDeFi from now on?), and the fact that whoever has access to the top holder wallet, can dump the token at any time.

Also, do we now all need to ban those asking questions — if we are not ready to give the answers? If there is nothing to hide, why get rid of such comments?

https://twitter.com/defiyield_info/status/1328796816096243713?s=20 / https://archive.vn/yHXS4

Later the Alpha team published a blog post. Well, nothing explained really.

This is what they told about over a hundred million dollar worth of tokens held on a single wallet:

https://twitter.com/AlphaFinanceLab/status/1328958900683628546 / https://archive.vn/rGipt
https://twitter.com/AlphaFinanceLab/status/1328958902617182208 / https://archive.vn/pJsbI
https://twitter.com/AlphaFinanceLab/status/1328958904575930369 / https://archive.vn/JZegS

Lots of words, little sense. Whatever the system behind their centralization, if the funds are easily accessed like this, there is always a big risk of them being sold.

Basically, they didn’t address the issue and further provided only misleading information.

https://twitter.com/AlphaFinanceLab/status/1328958898557100032?s=20 / https://archive.vn/7YrwP

After my response to them on Twitter, the team stopped responding to the allegations, and haven’t addressed them anywhere. Since then I mentioned them a few times, and received not a single care in the world.

I would say they are hiding somewhere, and it poses serious concerns.

On that note, let’s get to the fun part. I will provide a detailed report with the proof that the tokens held on that holder’s wallet is under a risk, and that the investors are exposed.

💣 The Alpha Team has the ability to move 96% of the tokens anytime: how so?

  1. 0x9fdcda036b26176b548d40918d04e0e764b456e1 — Top holder of ERC-20 Alpha token. This address is just a regular address. Technically it does not have any restrictions on token transfers, so any token that is stored on that address can be transferred anywhere/anytime the owner decides to.
  2. Alpha Token source code

From the screenshot above we can see that in the ERC-20 Alpha token smart contract the function Transfer uses standard ERC-20 _transfer. So ERC-20 Alpha are usual ERC-20 tokens without any restrictions about how tokens can be transferred etc. Proofs of that you can check here: bloxy. By the link, there listed all of the transactions from 0x9fdcda036b26176b548d40918d04e0e764b456e1.

Below I will add a screenshot of the last transaction. As you can see from that screenshot, the transfer went without any additional checks or something like that.

0x9fdcda036b26176b548d40918d04e0e764b456e1 initiated transfer to the 0x92841bebabe89d3c5e0d5129f19779bdfe3cd9e4 and it was done without any problems.

Example transaction:
https://bloxy.info/tx/0x59367952fc647b85fe9f9339928a964ec78a19adc40af0a15d37aafb8d1b3693

With that info we can see that the owner of 0x9fdcda036b26176b548d40918d04e0e764b456e1 wallet can take the funds from that wallet and transfer them anywhere they want.

3. I also considered their comments regarding the use of Alpha tokens on Binance Chain, not only the ERC20.

First, take a look at the Alpha Token top holder token transactions on the Ethereum mainnet:

And then — at the transactions on the same address on BSC mainnet:

Let me now explain: Alpha claims that the top ERC20 tokens holder cannot move the tokens, unless received the same amounts to its vis-a-vis on the Binance chain.

As we can see on this screenshot there were somewhat similar transactions (IN transactions on BSC followed by OUT transactions on ETH) in the way as it was described by Alpha Finance Lab in their Tweet. But this is only at first glance. Let’s take a closer look at the transactions — and the time of those transactions.

  1. The top holder was initially able to send the tokens in and out over 50 days ago.

These seem to be some test in/out transfers of ERC-20 Alpha tokens to that wallet on the beginning of the project, but on the BCS version of that wallet there weren’t any such transfers (but there should’ve been according to the info from their tweet).

2. Transactions on Ethereum took place

way before the transaction on Binance Chain

At the same time Alpha claims that to unlock an amount of ERC-20 Alpha tokens on 0x9fdcda036b26176b548d40918d04e0e764b456e1 they first need to send such amount to the BSC wallet with same address 0x9fdcda036b26176b548d40918d04e0e764b456e1.

But when we take a closer look we can see that OUTCOMING ERC-20 transactions were earlier than INCOMING transactions of BEP-20 token.

All that info shows that the tokens on 0x9fdcda036b26176b548d40918d04e0e764b456e1 are not locked in any way, and can be transferred to any address anytime and/or sold.

In addition there is another thing I find interesting.

When looking at a token, normally, as a potential investment asset, one considers among other things its liquidity in the market.

Now to the point:

1. At the moment of writing the 24hr trading volume on Alpha token is $40M, including $8M on Uniswap only. Nice, eh?

2. Now look closer at the Uniswap pool volumes in creation: etherscan.io

3. By this bytecoded smart contract: 0xb5613129117cf464b63fea37e91789fb45f39826

4. Alpha team mentioned doing this to pass the 0.3% to liquidity providers as an ‘airdrop’, to save on users’ gas fees spent on claiming the tokens. But this action totally fakes the info about the Uniswap trading volume, so it is not clear for me.

5. My questions here are:

- whether this should be categorized as an ‘airdrop’ — or plain and simple, wash trading?

- should we remain confident in the rest of the $40M trading volume on the token? (remember the supply is centralized and concentrated).

🤔 What’s the bottom line?

Since the initial findings were published, Alpha Homora team has made no effort to move into a more decentralized direction. As soon as it has been pointed out, we have witnessed multiple people being banned, accompanied by some lazy excuses.

For me, there are more than enough red flags on that project, and I hope you have sufficient information now to make your own smart decisions. My advice is to stay away and withdraw the funds immediately if you have something invested in Alpha Homora. The team is now hiding, and has no response to the allegations. Better safe than sorry, especially considering that there is a huge chance of being sorry with this project.

Few words on a larger scale.

Remember what was the case with YFFS and Deus? Upon finding the vulnerability they went on and fixed that, becoming a project we can trust. However, until there are platforms like Alpha Homora, I think there is no chance for the DeFi industry to be long-lasting.

After losing money or even simply reading about scams in the news, who would even think about supporting the industry? We need more trustworthy projects, and we need even more of those that admit to their code vulnerabilities and fix them.

Update of 22 December:

In the beginning, 934 800 003.00 ALPHA (around 98%) were stored in 0x580ce7b92f185d94511c9636869d28130702f68e contract, which is a Gnosis safe multisig wallet of the devs team. Here is the reference.

Owners of the multisig wallet are:

  • 0x8bE640413AE82482E7eFB82f10a027C0d43e0ccE (without tx`s)
  • 0x9Ea3472918b653666114546389fB64CD07c81e23 (without tx`s)
  • 0xB593d82d53e2c187dc49673709a6E9f806cdC835 (EOA)
  • 0xF77FaEe35e0D3683C0006c3AFA2992f0E66cD8B5 (EOA)
  • 0x9FDcdA036b26176B548D40918D04E0E764b456e1 (EOA)

Only 3 out of 5 members need to sign a transaction for its execution (according to Gnosis safe Policies). None of the Gnosis safe`s safe modules were implemented into this multisig.

We need to understand that from the holders’ point of view, the wallet functions like a simple EOA on the Ethereum mainnet, because there is no guarantee that it can’t be controlled by anyone. That five addresses could be owned by one person, which would make Alpha Homora fully centralized and contradict the main principles of DeFi.

If we look closer to transactions executed by this multisig, we can find out the next problems:

  1. https://etherscan.io/tx/0xb4281c0e5cab00aee3329dd33ec6362c7d53148bf07b00c8d4fd5d34bbb51551

By this transaction, a dev EOA transfers 1M ALPHA to an unpublished smart contract. No one knows what that contract is. Let’s look closer at this transaction:

The transaction was executed without any timelock, and featured the transfer of 1M ALPHA directly from the EOA to the unpublished contract.

2. Another example: https://etherscan.io/tx/0x195bd8e8862a3ef805eadac971619b6831e2f0ffdc424543a1a1a23cad9ad09b

The OEA owner transferred 19,999,999 ALPHA from the Gnosis wallet to another EOA wallet, and then sent the token amount to Binance.
https://etherscan.io/address/0x54B65C69F88860190895D36AFa22F4144f2DcCBe#tokentxns

The transaction digitalization:

Again, the direct execution of the transfer into the EOA address.

According to the facts mentioned above, the devs team could transfer any portion of the 98% token supply anytime, to any address, and without any restrictions. In my opinion, this states as a possible rug pull. If the devs decide to sell 98% of tokens today, they will harvest all liquidity from the tokens instantly. Who knows how much holders’ funds have been already stolen.

Have comments or opinions? Let me know!

Check out other articles from the Saga series:

🧑‍🌾 Join the community of farmers

Website: https://defiyield.info

Telegram: https://t.me/defiyield_info

Twitter: https://twitter.com/defiyield_info

Manage your Yield farming life from one simple interface. Ready to learn everything you need to know about https://defiyield.info/ ? Let’s jump right in!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store