Alkimiya Hack Analysis
Alkimiya is a protocol that turns blockchain blockspace resources - like transaction fees - into tradable assets. It uses smart contracts to create a peer-to-peer market, helping stabilize fees, improve price discovery, and optimize resource use across blockchains.
On March 28, 2025, Alkimiya suffered an attack resulting in a loss of approximately $95.5K. The root cause was an unsafe integer conversion during the minting calculation when users deposited collateral.
Overview
Attacker address: 0xF6ffBa5cbF285824000daC0B9431032169672B6e
Attacker’s contract: 0x80bf7db69556d9521c03461978b8fc731dbbd4e4
Attack transaction: 0x9b9a6dd05526a8a4b40e5e1a74a25df6ecccae6ee7bf045911ad89a1dd3f0814
Vulnerable contract: 0xf3f84ce038442ae4c4dcb6a8ca8bacd7f28c9bde
Analysis
The attack started with a flash loan of 10 WBTC from Morpho (line 5). The attacker then attempted to mint exactly 2^128 + 1 shares using SilicaPools.collateralizedMint() (line 12), providing approximately 1.7 WBTC as collateral (green box).
SilicaPools minted exactly 2^128 + 1 shares for the attacker using the full 256-bit shares parameter. However, due to an unsafe cast at line 837, only 1 share was recorded. This flaw was the root cause of the attack.
Referring to Figure 1, the attacker transferred 2^128 - 1 shares to another address (yellow box), leaving only 2 shares in the contract. Finally, they called SilicaPools.redeemShort() to withdraw the collateral.
Since sState.sharesMinted was incorrectly set to 1, while the attacker’s contract held 2 shares, SilicaPools mistakenly returned approximately 3.4 WBTC - twice the original deposit.
Conclusion
Optimizing for gas efficiency is beneficial, but only if the code remains correct. In this case, the saved gas was insignificant compared to the loss caused by the bug. Despite multiple audits, this flaw went undetected, leading to a real attack. To prevent such issues, we strongly recommend implementing rigorous security measures from the start and throughout the project’s lifecycle. Regular audits, code reviews, and vulnerability assessments should be standard practice to identify and mitigate risks before they can be exploited.