diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 3d1ce4e09e8413d29ef047814e083f138b975299..be67ab4f4dc4d9d31d37688692c9500403e16dd3 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -121,6 +121,11 @@ class Auth(object):
 
             # FIXME: Temp hack
             if event.type == EventTypes.Aliases:
+                if not event.is_state():
+                    raise AuthError(
+                        403,
+                        "Alias event must be a state event",
+                    )
                 if not event.state_key:
                     raise AuthError(
                         403,