Cream Finance suffered another exploit on Wednesday, in which the attacker stole around $130 million from Cream V1 lending markets on Ethereum.
Cream Finance Twitter handle first announced the exploit on Wednesday, October 28, at around 15:00 UTC. The announcement reads:
We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.
— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021
“We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.”
Hours later, the Cream Finance team came up with an initial investigation analysis that revealed that on Wednesday, October 27, at 13:54 UTC, Cream’s Ethereum-based V1 lending markets were exploited. The team said:
Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address: https://t.co/17sPIDpCmr
No other markets were impacted.— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021
“Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354, UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address: https://etherscan.io/address/0x24354d31bc9d90f62fe5f2454709c32049cf866b No other markets were impacted.”
Blockchain security firm PeckShield was the first to detect the exploit that was later confirmed by Cream Finance. According to PeckShield, this was a flash loan attack in which attackers exploited a bug in Cream Finance’s price oracle. PeckShield wrote:
2/4 The hack is made possible due to a price manipulation bug in CREAM price oracle. And this bug allows a directly transferred yDAI+yUSDC+yUSDT+yTUSD tokens to significantly increase yUSD pricePerShare, which allows for basically borrowing all funds in current lending pools. pic.twitter.com/oETHCPiuWi
— PeckShield Inc. (@peckshield) October 27, 2021
“The hack is made possible due to a price manipulation bug in CREAM price oracle. And this bug allows a directly transferred yDAI+yUSDC+yUSDT+yTUSD tokens to significantly increase yUSD pricePerShare, which allows for basically borrowing all funds in current lending pools.”
BlockSec investigations also tell a similar story. Further details reveal that the initial funds to launch the hack were taken from Tornado Cash and the stolen were transferred to 0x24354D31bC9D90F62FE5f2454709C32049cf866b. According to PeckShield, the stolen assets are worth around $117 million, while Cream Finance says it is around $130.
The funds stolen were mostly in Cream LP tokens and other ERC-20 tokens. The hacker swapped some funds via ParaSwap and Uniswap. Cream Finance further said that with the help of Yearn Finance and others in the community, it had identified and fixed the vulnerability. Cream V1 lending markets on Ethereum are now closed for an announced time and a post-mortem report will follow.
This is far from the first time this DeFi protocol has suffered a major attack. As Crypto Economy reported, in August 2021, Cream Finance was involved in a $25 million flash loan attack, in which the hacker was able to get away with more than 418,311,571 in Flexa Network’s native token, AMP, and 1,308 Ethereum.
Even before this, Cream Finance was exploited for $37 million in February 201. After each exploit, Cream native token CREAM fell sharply. In this recent exploit, CREAM dropped 28% in minutes, down from $152 to $111 following the exploit. The token is now at $101 with a 35% fall in the last 24 hours.