Ethereum DeFi Protocol Cream Finance Succumbs To $130 Million Flash Loan Hack

Ethereum DeFi Protocol Cream Finance Succumbs To $130 Million Flash Loan Hack

Cream Finance is the latest Ethereum DeFi protocol to suffer another hack. The attackers had used a flash loan attack and made away with $130 million. Cream Finance confirmed the attack via a Twitter post where the project revealed that they were investigating the cause of the hack. The exploit had exposed vulnerabilities in the protocol’s lending pools, which had to be shut down to protect users.

We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021

Fixing The Vulnerabilities

A follow-up tweet from the project had confirmed that the attackers had indeed made off with approximately $130 million from the hack. The hack occurred on October 27th at 13:54 UTC and impacted only the lending liquidity pools. All other markets were unaffected as it seemed the vulnerabilities were only present in these pools.

Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address: other markets were impacted.— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021

Another tweet assured the community that the vulnerability had been patched with help from Yearn.Finance. V1 lending markets on Ethereum remain paused pending a post-mortem review from the team.

With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we've paused our v1 lending markets on Ethereum and we're in the process of putting together a post-mortem review.— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021

Nonetheless, this is a significant hack for the protocol. The funds were moved through 68 different assets on the protocol with the majority being Cream Liquidity Pool tokens and ERC-20 tokens. PeckShield, a blockchain security firm, had initially sounded the alarm to the hack. It drew the attention of the Cream Finance team to blockchain data that showed that over $130 million had been sent out to two different wallets.

Cream Finance identified the wallets where the perpetrator had transferred the tokens. Although there has been no mention of confirming the identity of the attackers. And given the track record of hacks in the crypto space, their identity will most likely remain anonymous.

Previous DeFi Hacks

This is not the first time Cream Finance has succumbed to an exploit on its protocol. As a matter of fact, this marks the third successful exploit on the Cream Finance protocol. The first hack had occurred in February this year when attackers successfully made away with $37.5 million worth of coins. Subsequently, the price of Cream had tumbled 20% as news of the hack made the rounds.

Then in August, Cream Finance had again suffered another hack. This time, the protocol lost $29 million to the attackers. The attackers had exploited a bug introduced when the amp token was introduced into Cream Finance’s protocol. Blockchain security firm Peckshield had also reported this exploit and called attention to the bug.

The latest Cream Finance is the third-largest DeFi exploit in history. Poly Network and Compound finance still hold the record for the 1st and 2nd highest DeFi exploit respectively. Following the hack, the price of CREAM tanked 27%. The digital asset is still struggling to recover as the community awaits further updates from the team.