On February 13th, Alpha Homora V2 was exploited for ~$38m, despite the fact that the contracts involved had previously passed separate audits from both Quantstamp and PeckShield. Why was the possibility of this exploit missed during their review? To be fair, the exploit was incredibly complex and it’s certainly possibly this attack vector was overlooked entirely by the auditing firms due to that. On the flip side, it’s also possible that an individual knew in advance that this could happen but decided that the pay day from a successful attack outweighed the return from being an honest actor. If you think you can execute an attack and walk away with $38m, why settle for a white hat bounty worth $50k for pointing out the problem? Herein lies the broader issue. As DeFi TVLs rise, the reward dichotomy between being an honest actor rather than a malicious one is becoming increasingly imbalanced. We should expect that whatever can be exploited, will be. While the dynamic of th
