What Just Happened to CREAM Finance? The long-lasting effect of security vulnerabilities in DeFi

Alejandra Corbella

CREAM Finance broke a record this year for getting hacked three times in a matter of months! While CREAM Finance has quite the record when it comes to security vulnerabilities, the third hack has been by far the most devastating, accountable for a loss of over $130M. Most importantly, it has cost the project damage in trust and credibility from the community. Many believe the project will not survive. Can CREAM redeem itself and recover?

Here is the full Valid Insights breakdown on the latest attack:

About CREAM Finance

C.R.E.A.M stands for Crypto Rules Everything Around Me. The project began with the premise of improving the current financial system and making it more accessible than traditional finance. CREAM is also a fork of the Compound protocol, the same protocol that has lost over $60M because of a bug! CREAM is a peer-to-peer lending protocol on the Ethereum network. The differentiator between CREAM Finance and Compound is the additional assets on CREAM, such as $CRV and $YFI. While the latest attack does not come as a surprise, it's marked as the third biggest hack in DeFi history.

The Valid Network team collected and analyzed data on the attack to raise awareness for DeFi risks, and help you invest in digital assets with confidence.  

What happened?

On October 27, 2021, at around 7am PST, CREAM Finance suffered an attack via a flash loan. The attack was successful due to a series of sophisticated and advanced steps, and it was likely well-planned beforehand. In our findings, we discovered that the attacker’s account was seeded from Tornado cash, a popular crypto mixer that increases anonymity in the Blockchain.

Overview of the attack:

1. Flash Borrow $500M of DAI from Maker

2. Deposit $500M DAI into yDAI

3. Deposit ~$500M yDAI into the 4pool to get yUSD

4. Deposit ~$500M in Yearn to get yUSDVault

5. yUSD was deposited as collateral in CREAM, giving $500M of crYUSD

After the attack, funds were transferred to these two accounts:  



During the first day of the attack, there were ~$43M in assets in the original hacker’s account and around $15M in assets evenly split in two wallets. Since then, two additional transfers of 715 ETH were sent to these two accounts, still maintaining an even split.  

How could the attack take place?

There were key limitations in the CREAM Oracle system and the way it calculates prices for assets. The attacker utilized limitations in pricing calculations made by smart contracts that CREAM Finance’s platform depends on.  

Using these limitations, the attacker manipulated pricing of assets used as collateral, allowing undercollateralized loans. These loans can then be simply abandoned along with their limited collateral, to maintain the more valuable loan body.  

The pricing manipulation caused by the attacker has persisted and was not undone as part of the cleanup following the attack. This means that incorrect pricing was still the case even after the attack was discovered.


Financial impact

Within 20 minutes after the attack, the CREAM token has dropped over 23%.

Capture from CoinMarketCap.com

Valid Insights on CREAM Finance

CREAM’s Valid Score currently sits at S2, which indicates overall low security and reliability. The underlying drivers affecting the score are:

  • Security (S2): High risk of exploitable security vulnerabilities exists within the smart contracts used by CREAM, or on which the CREAM ecosystem depends for continued operations.  
  • Governance (S3): CREAM Finance has not been sufficiently active in response to previous incidents, pointing to limitations in governing the platform and its ecosystem
  • Market Presence (S2): The recent incidents have impacted CREAM’s market presence significantly and it is now being traded unfavorably.
  • Reputation (S3): The backlash from the community after several hacks has cost CREAM damage to their reputation.

About Valid Insights

Valid Insights is the only platform that empowers traders and investors to quickly understand the opportunities and threats in any cryptocurrency and digital asset - including tokens, vaults, NFTs, wallets, and exchanges.  Valid Insights’ continuous monitoring and automated AI technology give you predictive crypto insights, as well as real-time ones, so you can make informed decisions and invest with confidence.

Sign up for free at https://data.valid.network/

It’s time to Deriskify Crypto!

Uncover risks & opportunities in crypto to maximize your gains.

Valid Data’s real-time and predictive insights are used by Cryptocurrency traders and exchanges, as well as investors and hedge funds, to make better investment and trading decisions, to protect the value of their digital assets, and to capitalize on market opportunities that only Valid Network’s technology can uncover.

Try Valid Data

Other Blogs

Introducing Ethereplay by Valid Network

We are excited to announce Ethereplay by Valid Network, a free community tool to support examining, analyzing, optimizing and securing of smart contract code on Ethereum.

Onboarding blockchain tech? Don’t miss these important facts

Key issues that enterprises must carefully consider and deal with when onboarding blockchain technology

What are CBDC and are Digital Currencies Safe?

Cryptocurrency and DeFi trading platforms have long signified a coming change in the way currency is handled around the world.

Integer Overflow in Ethereum

Many involved in blockchain do not have a full comprehension of the impact of software flaws and how they can enable vulnerability.

Subscribe to our newsletter and get the latest updates every day

Get crypto analysis, insights and updates right to your inbox! Sign up here so you don't miss a single newsletter.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.