CREAM Finance broke a record this year for getting hacked three times in a matter of months! While CREAM Finance has quite the record when it comes to security vulnerabilities, the third hack has been by far the most devastating, accountable for a loss of over $130M. Most importantly, it has cost the project damage in trust and credibility from the community. Many believe the project will not survive. Can CREAM redeem itself and recover?
C.R.E.A.M stands for Crypto Rules Everything Around Me. The project began with the premise of improving the current financial system and making it more accessible than traditional finance. CREAM is also a fork of the Compound protocol, the same protocol that has lost over $60M because of a bug! CREAM is a peer-to-peer lending protocol on the Ethereum network. The differentiator between CREAM Finance and Compound is the additional assets on CREAM, such as $CRV and $YFI. While the latest attack does not come as a surprise, it's marked as the third biggest hack in DeFi history.
The Valid Network team collected and analyzed data on the attack to raise awareness for DeFi risks, and help you invest in digital assets with confidence.
On October 27, 2021, at around 7am PST, CREAM Finance suffered an attack via a flash loan. The attack was successful due to a series of sophisticated and advanced steps, and it was likely well-planned beforehand. In our findings, we discovered that the attacker’s account was seeded from Tornado cash, a popular crypto mixer that increases anonymity in the Blockchain.
1. Flash Borrow $500M of DAI from Maker
2. Deposit $500M DAI into yDAI
3. Deposit ~$500M yDAI into the 4pool to get yUSD
4. Deposit ~$500M in Yearn to get yUSDVault
5. yUSD was deposited as collateral in CREAM, giving $500M of crYUSD
After the attack, funds were transferred to these two accounts:
During the first day of the attack, there were ~$43M in assets in the original hacker’s account and around $15M in assets evenly split in two wallets. Since then, two additional transfers of 715 ETH were sent to these two accounts, still maintaining an even split.
There were key limitations in the CREAM Oracle system and the way it calculates prices for assets. The attacker utilized limitations in pricing calculations made by smart contracts that CREAM Finance’s platform depends on.
Using these limitations, the attacker manipulated pricing of assets used as collateral, allowing undercollateralized loans. These loans can then be simply abandoned along with their limited collateral, to maintain the more valuable loan body.
The pricing manipulation caused by the attacker has persisted and was not undone as part of the cleanup following the attack. This means that incorrect pricing was still the case even after the attack was discovered.
Within 20 minutes after the attack, the CREAM token has dropped over 23%.
CREAM’s Valid Score currently sits at S2, which indicates overall low security and reliability. The underlying drivers affecting the score are:
Valid Insights is the only platform that empowers traders and investors to quickly understand the opportunities and threats in any cryptocurrency and digital asset - including tokens, vaults, NFTs, wallets, and exchanges. Valid Insights’ continuous monitoring and automated AI technology give you predictive crypto insights, as well as real-time ones, so you can make informed decisions and invest with confidence.
Sign up for free at https://data.valid.network/
Valid Data’s real-time and predictive insights are used by Cryptocurrency traders and exchanges, as well as investors and hedge funds, to make better investment and trading decisions, to protect the value of their digital assets, and to capitalize on market opportunities that only Valid Network’s technology can uncover.
Get crypto analysis, insights and updates right to your inbox! Sign up here so you don't miss a single newsletter.