C.R.E.A.M Finance exploited for over $100 million

Getting your Trinity Audio player ready...

Ethereum-based liquidity pools on C.R.E.A.M Finance were drained by an attacker which resulted in  $115 million leaving the platform; this makes the C.R.E.A.M Finance exploit the third-largest DeFi attack in DeFi history according to the Rekt leaderboard, which tracks and ranks the total value lost in various DeFi hacks.

We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.

— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021

According to the DeFi data aggregator DeFi Lama, there was roughly $1.06 billion locked in C.R.E.A.M Finance’s ETH-based liquidity pools before the time of the attack. But now, when you check the ‘markets page’ on the C.R.E.A.M Finance website, you will find that most of its ethereum-based pools have zero liquidity. After the hacker drained the liquidity pools, they sent $92 million to one address and $23 million to a second address.

The attacker, who remains unknown, was able to drain the liquidity pools by way of a flash loan attack. A flash loan attack is when an attacker takes out a loan from one DeFi platform or service provider and uses the borrowed money to interact with smart contracts in a way that manipulates prices of DeFi tokens in their favor so that they can subsequently drain a projects liquidity pool at prices favorable to them.

#FlashLoanAlert https://t.co/XzAvHqoINN

— PeckShield Inc. (@peckshield) October 27, 2021

The C.R.E.A.M Finance exploit was complex and required the attacker to transfer 68 different tokens to their own wallet from many unique locations. The attack was so large, that it costs the attacker 9.16 Ether in transaction fees – roughly $36,700 as of press time – to execute the attack on-chain.

As of press time, the hacker is trying to launder the money by sending it to services and platforms that obfuscate transaction history by mixing user transactions together before redistributing the jumbled funds.

Two exploits in two months

This isn’t the first time that C.R.E.A.M finance has been exploited, in August, C.R.E.A.M finance was exploited for $18.8 million by way of a flash loan attack.

1/4 @CreamFinance was exploited in (one hack tx: https://t.co/JPW7e368qd), leading to the gain of ~$18.8M for the hacker.

— PeckShield Inc. (@peckshield) August 30, 2021

Flash loans continue to be a popular method to exploit DeFi platforms and contracts. It is difficult for platforms to protect against these types of attacks because exploits don’t require attackers to breach the system they are attacking. Instead, they require the attacker to have advanced knowledge of the system in a way that lets them know how their actions on one end of the platform or an external platform, affect other areas of the platform they are exploiting.

This latest C.R.E.A.M Finance exploit is a developing story, and the C.R.E.A.M Finance team says they will be sharing updates as soon as they are available.

Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—a from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple and
Ethereum—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.