Dear Alchemix team and users,

I have identified a way to exploit your smart contracts. With the help of this exploit I am able to drain your treasury, vaults and farms - COMPLETELY.

I have successfully recreated the same exploit on forks of your codebase.

I request you to make a donation of 101 ETH to 0x2C3B3D107491524288288DFf3884beC4F128716a and I will contact your founder who operates the phone number +1 30* *** 3343 with a full report.

I shall wait until 23:59 UTC on 18th August, 2021 before I proceed with demonstrating the drainage of 100% of the funds.

If my fees are not paid upfront, I will not be able to help you further in anyway.

(The same exploit also exists on NAOS Finance and I suggest the NAOS team to also look into sharing the fees.)

  • alchemix1337

P.S. - I could have brought this to your attention privately but I have been burned by several (even popular) DeFi projects. They have refused to pay me a reasonable bounty after receiving the details of security issues and patching it from their end.

Locking this thread for now. We'll get in touch. Maybe.

n4n0 locked the discussion.

Dear Alchemix1337,

Thank you for reaching out to us.
If you have a legitimate exploit to disclose, please do so by visiting our official bug bounty partner here:
https://immunefi.com/bounty/alchemix/

We are very sorry to hear that your bug disclosure efforts have not been honored in the past, but we do things differently here at Alchemix.
As a gesture of good-will, if you are able to submit a successful bug submission of the the nature that you have described, not only shall we pay you the maximum bounty that is available from the program, but we shall also tip you 101 ETH on top.

Write a Reply...