{"id":1426,"date":"2020-11-11T13:37:59","date_gmt":"2020-11-11T13:37:59","guid":{"rendered":"https:\/\/de.fi\/blog\/?p=1426"},"modified":"2023-09-17T10:48:48","modified_gmt":"2023-09-17T10:48:48","slug":"report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740","status":"publish","type":"post","link":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740","title":{"rendered":"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens"},"content":{"rendered":"<p>Alpha Homora is our <a href=\"https:\/\/de.fi\/audit-database\/de.fi\/alpha_finance_lab\">23rd project audit in 2 months<\/a>. We have to say, most of them end up being positive\/adding improvements after the review goes out, and we can\u2019t be happier about it. It means that the industry is perceived seriously, rather than being a way to scam people and steal funds.<\/p>\n<p>In our audits among other things we look for the functions\/hints if the project retains the ability of scamming its investors including<\/p>\n<ul>\n<li>Infinite minting,<\/li>\n<li>Anti-rug pool functions,<\/li>\n<li>Minting Exploits,<\/li>\n<li>Liquidity pooled,<\/li>\n<li>Transfer Allowlist,<\/li>\n<li>Owner tampering,<\/li>\n<li>Backdoor library.<\/li>\n<\/ul>\n<p>So, back to Alpha Homora. Same as we did previously with <a href=\"https:\/\/de.fi\/blog\/the-yffs-saga-how-a-yield-farming-project-was-compelled-to-fix-its-code-6c5ee77816bb\">YFFS <\/a>and <a href=\"https:\/\/de.fi\/blog\/how-deus-finance-fixed-its-code-following-a-defiyield-info-report-51775ef59a5b\">Deus<\/a>, we are writing this article to inform the Community about the concerns we have about this project. As a premise, we would directly say that it seems like they are hiding. But let\u2019s start from the beginning.<\/p>\n<p>As it often happens, everything started on <a href=\"https:\/\/twitter.com\/DeDotFi\/status\/1328717481117175809?s=20\">Twitter<\/a>, where we were warning our audience about some alarming functions we found during our <a href=\"https:\/\/de.fi\/audit-database\/de.fi\/alpha_finance_lab\">Alpha Homora audit<\/a>.<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/1pozOxwwz_RRBSoFUqw3DOw.png\" alt=\"[https:\/\/twitter.com\/de.fi\/status\/1328717481117175809](https:\/\/twitter.com\/defiyield_app\/status\/1328717481117175809) \/ [https:\/\/archive.is\/QXIl8](https:\/\/archive.is\/QXIl8)\" \/><\/p>\n<p><strong>As the community awareness grew, and people started commenting on the matter, Alpha team decided to manage this by simply banning those raising questions.<\/strong><\/p>\n<p>Also, if somebody mentions \u2018\u2019De.Fi\u2019\u2019 in their group \u2014 that\u2019s an instant ban. Don\u2019t believe us? Go try, and see.<\/p>\n<p>This is a huge red flag for us. Some of the stuff people were saying about the situation:<br \/>\n<strong>Nealan Smith in De.Fi \ud83e\uddd1\u200d\ud83c\udf3e\ud83d\ude9c<\/strong><br \/>\n<em>i got banned from the group of Alpha Lab for linking this article<\/em><\/p>\n<p><em>Links: <\/em><a href=\"https:\/\/t.me\/DeDotFi\/15884\">https:\/\/t.me\/DeDotFi\/15884<\/a> &amp;\u00a0<a href=\"https:\/\/archive.vn\/0bqbE\">https:\/\/archive.vn\/0bqbE<\/a><em><br \/>\n<\/em><\/p>\n<p><em><strong>Dan Smith in De.Fi \ud83e\uddd1\u200d\ud83c\udf3e\ud83d\ude9c<\/strong><br \/>\n<\/em>i invest in $alpha and i wanted to ask clarification to the Alpha team<\/p>\n<p><em>Links: <\/em><a href=\"https:\/\/t.me\/DeDotFi\/15909\">https:\/\/t.me\/DeDotFi\/15909<\/a> &amp;\u00a0<a href=\"https:\/\/archive.vn\/qrCEX\">https:\/\/archive.vn\/qrCEX<\/a><\/p>\n<p>Other investigators also started posting about the matter and their concerns, further sharing the information about the fact that the scam probability is very high.<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/1N0kFidU7QldQLWOjVOD10w.png\" alt=\"[https:\/\/twitter.com\/WARONRUGS\/status\/1328768377670819840?s=20](https:\/\/twitter.com\/WARONRUGS\/status\/1328768377670819840?s=20) \/ [https:\/\/archive.vn\/KYHTe](https:\/\/archive.vn\/KYHTe)\" \/><\/p>\n<p>Then finally the project reverted with some answers and vague explanations about the gradual decentralization. Of course, with some users (or bots?) commenting on how transparent the project is, no news.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Several points from us<br \/>\n1. What you are doing is unprofessional. If you want to learn more about these points, you should have contacted us and learn about the rational behind the decision before just outright screaming exit ASAP.<\/p>\n<p>See more below<\/p>\n<p>\u2014 Stella\ud83d\udcab\ufe0f\ufe0f | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) <a href=\"https:\/\/twitter.com\/stellaxyz_\/status\/1328733842392268800?ref_src=twsrc%5Etfw\">November 17, 2020<\/a><\/p><\/blockquote>\n<p><script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>For the record, here are some concerns we stated in my audit before <\/strong>:<\/p>\n<p>Initially, there was a huge pre-mine of 1,000,000 ERC20 ALPHA tokens to a wallet marked as Alpha Deployer (regular wallet, 0x1AAf4143C3Fe0D7CA78381C4672E4b08C4Bc009F). All of these further were transferred to the EOA wallet (0x9FDcdA036b26176B548D40918D04E0E764b456e1).<\/p>\n<p>You can find the transaction by the link: <a href=\"https:\/\/etherscan.io\/tx\/0x227d26cf193c0679dc5f1948683c90b65b4e4cc175520841cbb527a2db2bfc83\">https:\/\/etherscan.io\/tx\/0x227d26cf193c0679dc5f1948683c90b65b4e4cc175520841cbb527a2db2bfc83<\/a>.<\/p>\n<p>As it stands, 96% ($145 million, at the current market price) !!! of the total token supply remains in that wallet \u2014 <a href=\"https:\/\/etherscan.io\/address\/0x9FDcdA036b26176B548D40918D04E0E764b456e1.\">https:\/\/etherscan.io\/address\/0x9FDcdA036b26176B548D40918D04E0E764b456e1.<\/a><\/p>\n<p>This definitely brings a risk of the token price collapse in the scenario where the holder decides to withdraw.<\/p>\n<p>Next, we followed up on the vague response from Alpha with some of our other concerns, highlighting that the team failed to communicate to their community about the centralized nature of the project (\u201cgradual decentralization\u201d? Seriously? Should we call it GraDeFi from now on?), and the fact that whoever has access to the top holder wallet, can dump the token at any time.<\/p>\n<p>Also, do we now all need to ban those asking questions \u2014 if we are not ready to give the answers? If there is nothing to hide, why get rid of such comments?<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/13Jvw31w_SxSmqgeMy0Ou6Q.png\" alt=\"[https:\/\/twitter.com\/de.fi\/status\/1328796816096243713](https:\/\/twitter.com\/defiyield_app\/status\/1328796816096243713) \/ [https:\/\/archive.vn\/yHXS4](https:\/\/archive.vn\/yHXS4)\" \/><\/p>\n<p>Later the Alpha team published a blog post. Well, nothing explained really.<\/p>\n<p>This is what they told about over a hundred million dollar worth of tokens held on a single wallet:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">1. First point on 96% of the token supply in a wallet:<\/p>\n<p>This is genesis minting, generating all supply on *both* Ethereum and Binance Smart Chain. Currently, a fully decentralized cross-chain bridge does not exist at the moment so we need to rely on a more centralized approach.<\/p>\n<p>\u2014 Stella\ud83d\udcab\ufe0f\ufe0f | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) <a href=\"https:\/\/twitter.com\/stellaxyz_\/status\/1328958900683628546?ref_src=twsrc%5Etfw\">November 18, 2020<\/a><\/p><\/blockquote>\n<p><script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">1.1 The biggest holder on Ethereum (964,300,000 ALPHA) is the locked token and can only be unlocked when ALPHA token on Binance Smart Chain (BSC) is transferred to the same address. This is how cross-chain functionality can be deployed on BSC, and how ALPHA can be on both chains.<\/p>\n<p>\u2014 Stella\ud83d\udcab\ufe0f\ufe0f | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) <a href=\"https:\/\/twitter.com\/stellaxyz_\/status\/1328958902617182208?ref_src=twsrc%5Etfw\">November 18, 2020<\/a><\/p><\/blockquote>\n<p><script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">1.2 This means that the 964M on the Ethereum side is only a placeholder for when users &#8220;lock&#8221; (or send the BSC ALPHA to the Ethereum address) and \u201cunlock\u201d the Ethereum side.<\/p>\n<p>\u2014 Stella\ud83d\udcab\ufe0f\ufe0f | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) <a href=\"https:\/\/twitter.com\/stellaxyz_\/status\/1328958904575930369?ref_src=twsrc%5Etfw\">November 18, 2020<\/a><\/p><\/blockquote>\n<p><script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Lots of words, little sense. Whatever the system behind their centralization, if the funds are easily accessed like this, there is always a big risk of them being sold.<\/p>\n<p>Basically, they didn\u2019t address the issue and further provided only misleading information.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">We&#8217;d like to share our response to the misrepresented information from @defiyield_info, as Defiyield does not fully understand the rationale which they would have had they reach out to discuss \ud83d\udc47<a href=\"https:\/\/t.co\/GDyugxDM7f\">https:\/\/t.co\/GDyugxDM7f<\/a><\/p>\n<p>\u2014 Stella\ud83d\udcab\ufe0f\ufe0f | 0% Cost Leveraged Strategies Protocol (@stellaxyz_) <a href=\"https:\/\/twitter.com\/stellaxyz_\/status\/1328958898557100032?ref_src=twsrc%5Etfw\">November 18, 2020<\/a><\/p><\/blockquote>\n<p><script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>After our response to them on Twitter, the team stopped responding to the allegations, and haven\u2019t addressed them anywhere. Since then we mentioned them a few times, and received not a single care in the world.<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/1AsiaJYIlSa_rpfFQrcZIjQ.gif\" alt=\"\" \/><\/p>\n<p>We would say they are hiding somewhere, and it poses serious concerns.<\/p>\n<p>On that note, let\u2019s get to the fun part. We will provide a detailed report with the proof that the tokens held on that holder\u2019s wallet is under a risk, and that the investors are exposed.<\/p>\n<blockquote><p><em>If you wanna stay safe and be up to date \u2014 <a href=\"https:\/\/join.de.fi\/\">subscribe to our newsletter<\/a>! We will send you our <strong>DeFi Security Handbook <\/strong>straightaway. In the ebook we explain <\/em>how to stay safe, what are we paying attention to while auditing projects and what should you do to not get REKT. <em>You can expect insights, interesting content and updates from us.<\/em><\/p><\/blockquote>\n<h2 id=\"-the-alpha-team-has-the-ability-to-move-96-of-the-tokens-anytime-how-so-\">\ud83d\udca3 The Alpha Team has the ability to move 96% of the tokens anytime: how so?<\/h2>\n<ol>\n<li><a href=\"https:\/\/etherscan.io\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1\">0x9fdcda036b26176b548d40918d04e0e764b456e1<\/a> \u2014 Top holder of ERC-20 Alpha token. This address is just a regular address. Technically it does not have any restrictions on token transfers, so any token that is stored on that address can be transferred anywhere\/anytime the owner decides to.<\/li>\n<li><a href=\"https:\/\/etherscan.io\/address\/0xa1faa113cbe53436df28ff0aee54275c13b40975#code\">Alpha Token source code<\/a><\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0SdsrcZMwiSNoobmo.png\" alt=\"\" \/><\/p>\n<p>From the screenshot above we can see that in the ERC-20 Alpha token smart contract the function <em>Transfer <\/em>uses standard ERC-20 _transfer. So ERC-20 Alpha are usual ERC-20 tokens without any restrictions about how tokens can be transferred etc. Proofs of that you can check here: <a href=\"https:\/\/bloxy.info\/txs\/transfers_from\/0x9fdcda036b26176b548d40918d04e0e764b456e1?currency_id=544210\">bloxy<\/a>. By the link, there listed all of the transactions from <a href=\"https:\/\/etherscan.io\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1\">0x9fdcda036b26176b548d40918d04e0e764b456e1<\/a>.<\/p>\n<p>Below we will add a screenshot of the last transaction. As you can see from that screenshot, the transfer went without any additional checks or something like that.<\/p>\n<p><a href=\"https:\/\/etherscan.io\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1\">0x9fdcda036b26176b548d40918d04e0e764b456e1<\/a> initiated transfer to the 0x92841bebabe89d3c5e0d5129f19779bdfe3cd9e4 and it was done without any problems.<\/p>\n<p>Example transaction:<br \/>\n<a href=\"https:\/\/bloxy.info\/tx\/0x59367952fc647b85fe9f9339928a964ec78a19adc40af0a15d37aafb8d1b3693\">https:\/\/bloxy.info\/tx\/0x59367952fc647b85fe9f9339928a964ec78a19adc40af0a15d37aafb8d1b3693<\/a><\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0JvUgExqms1td5y7u.png\" alt=\"\" \/><\/p>\n<p>With that info we can see that the owner of <a href=\"https:\/\/etherscan.io\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1\">0x9fdcda036b26176b548d40918d04e0e764b456e1<\/a> wallet can take the funds from that wallet and transfer them anywhere they want.<\/p>\n<ol>\n<li>We also considered their comments regarding the use of Alpha tokens on Binance Chain, not only the ERC20.<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0jaPaFUANnKzdM3nl.png\" alt=\"\" \/><\/p>\n<p>First, take a look at the <a href=\"https:\/\/etherscan.io\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1#tokentxns\">Alpha Token top holder<\/a> token transactions on the Ethereum mainnet:<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/1OK4_EvqqSnk3pvZ-zh0YPw.png\" alt=\"\" \/><\/p>\n<p>And then \u2014 at the transactions on the <a href=\"https:\/\/bscscan.com\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1#tokentxns\">same address<\/a> on BSC mainnet:<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/1tDjL5Y4nkCy-IPMgq4lc5A.png\" alt=\"\" \/><\/p>\n<p>Let us now explain: Alpha claims that the top ERC20 tokens holder cannot move the tokens, unless received the same amounts to its vis-a-vis on the Binance chain.<\/p>\n<p>As we can see on this screenshot there were somewhat similar transactions (IN transactions on BSC followed by OUT transactions on ETH) in the way as it was described by Alpha Finance Lab in their Tweet. But this is only at first glance. Let\u2019s take a closer look at the transactions \u2014 and the time of those transactions.<\/p>\n<ol>\n<li>The top holder was initially able to send the tokens in and out over 50 days ago.<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0zvxDCjUSF0cs0WwT.png\" alt=\"\" \/><\/p>\n<p>These seem to be some test in\/out transfers of ERC-20 Alpha tokens to that wallet on the beginning of the project, but on the BCS version of that wallet there weren\u2019t any such transfers (but there should\u2019ve been according to the info from their tweet).<\/p>\n<ol>\n<li>Transactions on Ethereum took place<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0k6gzUbw2y9DxriB5.png\" alt=\"\" \/><\/p>\n<p>way before the transaction on Binance Chain<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0L54i8FXlBNZ1SFW7.png\" alt=\"\" \/><\/p>\n<p>At the same time Alpha claims that to unlock an amount of ERC-20 Alpha tokens on <a href=\"https:\/\/etherscan.io\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1\">0x9fdcda036b26176b548d40918d04e0e764b456e1<\/a> they first need to send such amount to the BSC wallet with same address <a href=\"https:\/\/bscscan.com\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1\">0x9fdcda036b26176b548d40918d04e0e764b456e1<\/a>.<\/p>\n<p>But when we take a closer look we can see that OUTCOMING ERC-20 transactions were earlier than INCOMING transactions of BEP-20 token.<\/p>\n<p>All that info shows that the tokens on <a href=\"https:\/\/etherscan.io\/address\/0x9fdcda036b26176b548d40918d04e0e764b456e1\">0x9fdcda036b26176b548d40918d04e0e764b456e1<\/a> are not locked in any way, and can be transferred to any address anytime and\/or sold.<\/p>\n<p>In addition there is another thing we find interesting.<\/p>\n<p>When looking at a token, normally, as a potential investment asset, one considers among other things its liquidity in the market.<\/p>\n<p>Now to the point:<\/p>\n<ol>\n<li>At the moment of writing the 24hr trading volume on Alpha token is $40M, including $8M on Uniswap only. Nice, eh?<\/li>\n<li>Now look closer at the Uniswap pool volumes in creation: <a href=\"https:\/\/etherscan.io\/token\/0xa1faa113cbe53436df28ff0aee54275c13b40975?a=0xb5613129117cf464b63fea37e91789fb45f39826\">etherscan.io<\/a><\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0OmVd_QcqrRpN2HDo.png\" alt=\"\" \/><\/p>\n<ol>\n<li>By this bytecoded smart contract: <a href=\"https:\/\/etherscan.io\/address\/0xb5613129117cf464b63fea37e91789fb45f39826#code\">0xb5613129117cf464b63fea37e91789fb45f39826<\/a><\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0ld6CZ7enBzomxLQq.png\" alt=\"\" \/><\/p>\n<ol>\n<li>Alpha team mentioned doing this to pass the 0.3% to liquidity providers as an \u2018airdrop\u2019, to save on users\u2019 gas fees spent on claiming the tokens. But this action totally fakes the info about the Uniswap trading volume, so it is not clear for me.<\/li>\n<li>Our questions here are:<\/li>\n<li>whether this should be categorized as an \u2018airdrop\u2019 \u2014 or plain and simple, wash trading?<\/li>\n<li>should we remain confident in the rest of the $40M trading volume on the token? (remember the supply is centralized and concentrated).<\/li>\n<\/ol>\n<h2 id=\"-what-s-the-bottom-line-\">\ud83e\udd14 What\u2019s the bottom line?<\/h2>\n<p>Since the initial findings were published, Alpha Homora team has made no effort to move into a more decentralized direction. As soon as it has been pointed out, we have witnessed multiple people being banned, accompanied by some lazy excuses.<\/p>\n<p>For me, there are more than enough red flags on that project, and we hope you have sufficient information now to make your own smart decisions. Our advice is to stay away and withdraw the funds immediately if you have something invested in Alpha Homora. The team is now hiding, and has no response to the allegations. Better safe than sorry, especially considering that there is a huge chance of being sorry with this project.<\/p>\n<p>Few words on a larger scale.<\/p>\n<p>Remember what was the case with <a href=\"https:\/\/de.fi\/blog\/the-yffs-saga-how-a-yield-farming-project-was-compelled-to-fix-its-code-6c5ee77816bb\">YFFS<\/a> and <a href=\"https:\/\/de.fi\/blog\/how-deus-finance-fixed-its-code-following-a-defiyield-info-report-51775ef59a5b\">Deus<\/a>? Upon finding the vulnerability they went on and fixed that, becoming a project we can trust. However, until there are platforms like Alpha Homora, I think there is no chance for the DeFi industry to be long-lasting.<\/p>\n<p>After losing money or even simply reading about scams in the news, who would even think about supporting the industry? We need more trustworthy projects, and we need even more of those that admit to their code vulnerabilities and fix them.<\/p>\n<h2 id=\"-update-of-22-december-\"><strong>Update of 22 December:<\/strong><\/h2>\n<p>In the beginning, 934 800 003.00 ALPHA (around 98%) were stored in <em>0x580ce7b92f185d94511c9636869d28130702f68e<\/em> contract, which is a Gnosis safe multisig wallet of the devs team. <a href=\"https:\/\/gnosis-safe.io\/app\/#\/safes\/0x580ce7b92f185d94511c9636869d28130702f68e\/balances\">Here<\/a> is the reference.<\/p>\n<p>Owners of the multisig wallet are:<\/p>\n<ul>\n<li><em>0x8bE640413AE82482E7eFB82f10a027C0d43e0ccE (without tx`s)<\/em><\/li>\n<li><em>0x9Ea3472918b653666114546389fB64CD07c81e23 (without tx`s)<\/em><\/li>\n<li><em>0xB593d82d53e2c187dc49673709a6E9f806cdC835 (EOA)<\/em><\/li>\n<li><em>0xF77FaEe35e0D3683C0006c3AFA2992f0E66cD8B5 (EOA)<\/em><\/li>\n<li><em>0x9FDcdA036b26176B548D40918D04E0E764b456e1 (EOA)<\/em><\/li>\n<\/ul>\n<p>Only 3 out of 5 members need to sign a transaction for its execution (according to <a href=\"https:\/\/gnosis-safe.io\/app\/#\/safes\/0x580ce7b92f185d94511c9636869d28130702f68e\/settings\">Gnosis safe Policies<\/a>). None of the Gnosis safe`s safe modules were implemented into this multisig.<\/p>\n<p>We need to understand that from the holders\u2019 point of view, the wallet functions like a simple EOA on the Ethereum mainnet, because there is no guarantee that it can\u2019t be controlled by anyone. That five addresses could be owned by one person, which would make Alpha Homora fully centralized and contradict the main principles of DeFi.<\/p>\n<p>If we look closer to transactions executed by this multisig, we can find out the next problems:<\/p>\n<ol>\n<li><a href=\"https:\/\/etherscan.io\/tx\/0xb4281c0e5cab00aee3329dd33ec6362c7d53148bf07b00c8d4fd5d34bbb51551\">*https:\/\/etherscan.io\/tx\/0xb4281c0e5cab00aee3329dd33ec6362c7d53148bf07b00c8d4fd5d34bbb51551<\/a>*<\/li>\n<\/ol>\n<p>By this transaction, a dev EOA transfers 1M ALPHA to an unpublished smart contract. No one knows what that contract is. Let\u2019s look closer at this transaction:<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/1sDc2asQz-P954LT80n3Otw.jpg\" alt=\"\" \/><\/p>\n<p>The transaction was executed without any timelock, and featured the transfer of 1M ALPHA directly from the EOA to the unpublished contract.<\/p>\n<ol>\n<li>Another example: <a href=\"https:\/\/etherscan.io\/tx\/0x195bd8e8862a3ef805eadac971619b6831e2f0ffdc424543a1a1a23cad9ad09b\">*https:\/\/etherscan.io\/tx\/0x195bd8e8862a3ef805eadac971619b6831e2f0ffdc424543a1a1a23cad9ad09b<\/a>*<\/li>\n<\/ol>\n<p>The OEA owner transferred 19,999,999 ALPHA from the Gnosis wallet to another EOA wallet, and then sent the token amount to Binance.<br \/>\n<a href=\"https:\/\/etherscan.io\/address\/0x54B65C69F88860190895D36AFa22F4144f2DcCBe#tokentxns\">*https:\/\/etherscan.io\/address\/0x54B65C69F88860190895D36AFa22F4144f2DcCBe#tokentxns<\/a>*<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/0gukZeKRiWDWz0Usd.png\" alt=\"\" \/><\/p>\n<p>The transaction digitalization:<\/p>\n<p><img decoding=\"async\" class=\"legacymediumimages\" src=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/1DYzOEvSf35PK3951oe70pw.jpg\" alt=\"\" \/><\/p>\n<p>Again, the direct execution of the transfer into the EOA address.<\/p>\n<p>According to the facts mentioned above, the devs team could transfer any portion of the 98% token supply anytime, to any address, and without any restrictions. In my opinion, this states as a possible <a href=\"https:\/\/de.fi\/blog\/what-is-crypto-rug-pull-defi-exploit\">rug pull<\/a>. If the devs decide to sell 98% of tokens today, they will harvest all liquidity from the tokens instantly. Who knows how much holders\u2019 funds have been already stolen.<\/p>\n<p>Have comments or opinions? Let us know!<\/p>\n<p>Check out other articles from the Saga series:<\/p>\n<ul>\n<li><a href=\"https:\/\/de.fi\/blog\/how-deus-finance-fixed-its-code-following-a-defiyield-info-report-51775ef59a5b\">The Deus Finance Saga<\/a><\/li>\n<li><a href=\"https:\/\/de.fi\/blog\/the-yffs-saga-how-a-yield-farming-project-was-compelled-to-fix-its-code-6c5ee77816bb\">The YFFS Saga<\/a><\/li>\n<li><a href=\"https:\/\/de.fi\/blog\/the-bundles-finance-saga-defiyield-info-9a25a8b99140\">The Bundles Finance Saga<\/a><\/li>\n<\/ul>\n<h2 id=\"check-our-guides-\">Check our guides:<\/h2>\n<p><a href=\"https:\/\/de.fi\/blog\/the-ultimate-yield-farming-guide-for-solana-network-infographics-985936db4392\">Solana Network Ultimate Yield Farming Guide [Infographics]<\/a><br \/>\n<a href=\"https:\/\/de.fi\/blog\/ultimate-yield-farming-guide-for-fantom-network-5c5dea0c719a\">Fantom Network Ultimate Yield Farming Guide [Infographics]<\/a><br \/>\n<a href=\"https:\/\/de.fi\/blog\/the-ultimate-guide-for-yield-farming-with-huobi-eco-chain-cde009ed3457\">Huobi ECO Chain Ultimate Guide for Yield Farming<\/a><br \/>\n<a href=\"https:\/\/de.fi\/blog\/the-ultimate-guide-for-yield-farming-with-polygon-network-373b77ccb1cf\">Polygon Network Ultimate Guide for Yield Farming<\/a><br \/>\n<a href=\"https:\/\/de.fi\/blog\/the-ultimate-guide-for-yield-farming-with-binance-chain-dbc23beb6df4\">Binance Chain Ultimate Guide for Yield Farming<\/a><\/p>\n<p>And join us on <a href=\"https:\/\/twitter.com\/DeDotFi\">Twitter<\/a>\u00a0and <a href=\"https:\/\/t.me\/DeDotFi\">Telegram!<\/a><\/p>\n<p><strong>Good luck in farming!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Alpha Homora is our 23rd project audit in 2 months. We have to say, most of them end up being positive\/adding improvements after the review goes out, and we can\u2019t be happier about it.<\/p>\n","protected":false},"author":2,"featured_media":5546,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[55,7,12],"class_list":["post-1426","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-defi","tag-defi_vs_scams","tag-defi","tag-updates"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens<\/title>\n<meta name=\"description\" content=\"We are writing this article to inform the Community about the concerns we have about this project.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens\" \/>\n<meta property=\"og:description\" content=\"We are writing this article to inform the Community about the concerns we have about this project.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740\" \/>\n<meta property=\"og:site_name\" content=\"De.Fi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-11-11T13:37:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-17T10:48:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2020\/11\/3-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"736\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"De.Fi Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@dedotfi\" \/>\n<meta name=\"twitter:site\" content=\"@dedotfi\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"De.Fi Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740#article\",\"isPartOf\":{\"@id\":\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740\"},\"author\":{\"name\":\"De.Fi Security\",\"@id\":\"https:\/\/de.fi\/blog\/#\/schema\/person\/bc7c94cb5e037c8978c6059885825591\"},\"headline\":\"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens\",\"datePublished\":\"2020-11-11T13:37:59+00:00\",\"dateModified\":\"2023-09-17T10:48:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740\"},\"wordCount\":2478,\"publisher\":{\"@id\":\"https:\/\/de.fi\/blog\/#organization\"},\"keywords\":[\"De.Fi vs Scams\",\"Defi\",\"Updates\"],\"articleSection\":[\"De.Fi\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740\",\"url\":\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740\",\"name\":\"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens\",\"isPartOf\":{\"@id\":\"https:\/\/de.fi\/blog\/#website\"},\"datePublished\":\"2020-11-11T13:37:59+00:00\",\"dateModified\":\"2023-09-17T10:48:48+00:00\",\"description\":\"We are writing this article to inform the Community about the concerns we have about this project.\",\"breadcrumb\":{\"@id\":\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/de.fi\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/de.fi\/blog\/#website\",\"url\":\"https:\/\/de.fi\/blog\/\",\"name\":\"De.Fi Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/de.fi\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/de.fi\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/de.fi\/blog\/#organization\",\"name\":\"De.Fi\",\"url\":\"https:\/\/de.fi\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/de.fi\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/spaces_XOyvZ43P03BZ8mN6KNWT_icon_1hV2Waqet2YS2jtkV0f3_Logo.webp\",\"contentUrl\":\"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/spaces_XOyvZ43P03BZ8mN6KNWT_icon_1hV2Waqet2YS2jtkV0f3_Logo.webp\",\"width\":223,\"height\":234,\"caption\":\"De.Fi\"},\"image\":{\"@id\":\"https:\/\/de.fi\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/twitter.com\/dedotfi\",\"https:\/\/t.me\/dedotfi\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/de.fi\/blog\/#\/schema\/person\/bc7c94cb5e037c8978c6059885825591\",\"name\":\"De.Fi Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/de.fi\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6f2f941b8d00bf81e01f135977bd5284977931ec40bfd2c06000150d2a6d661d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6f2f941b8d00bf81e01f135977bd5284977931ec40bfd2c06000150d2a6d661d?s=96&d=mm&r=g\",\"caption\":\"De.Fi Security\"},\"url\":\"https:\/\/de.fi\/blog\/author\/defisecurity\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens","description":"We are writing this article to inform the Community about the concerns we have about this project.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740","og_locale":"en_US","og_type":"article","og_title":"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens","og_description":"We are writing this article to inform the Community about the concerns we have about this project.","og_url":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740","og_site_name":"De.Fi Blog","article_published_time":"2020-11-11T13:37:59+00:00","article_modified_time":"2023-09-17T10:48:48+00:00","og_image":[{"width":1400,"height":736,"url":"https:\/\/de.fi\/blog\/wp-content\/uploads\/2020\/11\/3-1.png","type":"image\/png"}],"author":"De.Fi Security","twitter_card":"summary_large_image","twitter_creator":"@dedotfi","twitter_site":"@dedotfi","twitter_misc":{"Written by":"De.Fi Security","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740#article","isPartOf":{"@id":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740"},"author":{"name":"De.Fi Security","@id":"https:\/\/de.fi\/blog\/#\/schema\/person\/bc7c94cb5e037c8978c6059885825591"},"headline":"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens","datePublished":"2020-11-11T13:37:59+00:00","dateModified":"2023-09-17T10:48:48+00:00","mainEntityOfPage":{"@id":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740"},"wordCount":2478,"publisher":{"@id":"https:\/\/de.fi\/blog\/#organization"},"keywords":["De.Fi vs Scams","Defi","Updates"],"articleSection":["De.Fi"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740","url":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740","name":"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens","isPartOf":{"@id":"https:\/\/de.fi\/blog\/#website"},"datePublished":"2020-11-11T13:37:59+00:00","dateModified":"2023-09-17T10:48:48+00:00","description":"We are writing this article to inform the Community about the concerns we have about this project.","breadcrumb":{"@id":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/de.fi\/blog\/report-the-alpha-lab-infinite-minting-saga-team-controls-96-of-the-tokens-8a7d107c740#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/de.fi\/blog\/"},{"@type":"ListItem","position":2,"name":"Report: The Alpha Lab Infinite Minting Saga: Team Controls 96% of the tokens"}]},{"@type":"WebSite","@id":"https:\/\/de.fi\/blog\/#website","url":"https:\/\/de.fi\/blog\/","name":"De.Fi Blog","description":"","publisher":{"@id":"https:\/\/de.fi\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/de.fi\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/de.fi\/blog\/#organization","name":"De.Fi","url":"https:\/\/de.fi\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/de.fi\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/spaces_XOyvZ43P03BZ8mN6KNWT_icon_1hV2Waqet2YS2jtkV0f3_Logo.webp","contentUrl":"https:\/\/de.fi\/blog\/wp-content\/uploads\/2023\/06\/spaces_XOyvZ43P03BZ8mN6KNWT_icon_1hV2Waqet2YS2jtkV0f3_Logo.webp","width":223,"height":234,"caption":"De.Fi"},"image":{"@id":"https:\/\/de.fi\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/twitter.com\/dedotfi","https:\/\/t.me\/dedotfi"]},{"@type":"Person","@id":"https:\/\/de.fi\/blog\/#\/schema\/person\/bc7c94cb5e037c8978c6059885825591","name":"De.Fi Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/de.fi\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6f2f941b8d00bf81e01f135977bd5284977931ec40bfd2c06000150d2a6d661d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6f2f941b8d00bf81e01f135977bd5284977931ec40bfd2c06000150d2a6d661d?s=96&d=mm&r=g","caption":"De.Fi Security"},"url":"https:\/\/de.fi\/blog\/author\/defisecurity"}]}},"_links":{"self":[{"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/posts\/1426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/comments?post=1426"}],"version-history":[{"count":8,"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/posts\/1426\/revisions"}],"predecessor-version":[{"id":5138,"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/posts\/1426\/revisions\/5138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/media\/5546"}],"wp:attachment":[{"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/media?parent=1426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/categories?post=1426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/de.fi\/blog\/wp-json\/wp\/v2\/tags?post=1426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}