- Cream Finance has been hit for over $136 million in a flash loan attack.
- The stolen funds comprised mainly of LP tokens, several other ERC-20 tokens, and stablecoins.
- Roughly $40 million of the stolen funds are in Cream’s ETH2 custodial staking service, meaning they could potentially be recovered.
Decentralized lending protocol Cream Finance has been hit by a major flash loan attack. The assailant borrowed $2 billion from Aave and made off with over $136 million worth of Ethereum-based tokens.
Cream Finance Hit By Another Flash Loan Attack
Cream Finance has been exploited.
An attacker successfully used a flash loan earlier today to borrow 524,102.159 ETH from Aave, worth about $2 billion at today’s prices. They then successfully drained Cream Finance of several DeFi tokens, making off with around $136 million at peak prices according to Zerion. The transaction for the attack cost $36,574.34 and can be viewed on Etherscan.
The smart contract auditing firm PeckShield broke the news of the attack on Twitter this afternoon, while Cream Finance announced that it was “investigating an exploit on C.R.E.A.M. v1 on Ethereum.” The team added that it would share further updates as soon as they’re available.
We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.
— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021
The Etherscan transaction history shows that the attacker moved at least $92 million to one Ethereum wallet and $23 million to another. The stolen funds were mostly comprised mainly of Cream LP tokens, which can be earned for providing liquidity to the protocol, as well as XSUSHI, WNXM, YFI, and several other ERC-20 tokens and stablecoins.
In the input data for the transaction, the attacker left the following message:
“gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do”
The message likely refers to Cream Finance’s Iron Bank, which Alpha Finance uses in partnership with Cream. Alpha Finance posted an update confirming that Iron Bank and its Alpha Homora V2 product were “safe” following the attack. Yearn Finance also posted an update confirming that its products have not been affected and its team was “assisting Cream with investigation of the exploit.”
Interestingly, the wallet containing the majority of the attacker’s stolen funds received a transaction from a user with the Ethereum Name Service domain oilysirs.eth following the attack. The transaction contained a message that warned the attacker that they “are NGMI” because they “will never be able to cash that amount out.” “NGMI” is a popular meme in the crypto community. It’s typically used as an insult, meaning “Not Going to Make It.”
Following the attack, crypto investor and researcher Adam Cochran noted that Cream’s staked Ethereum 2.0 service is custodial, suggesting that users may be reimbursed for the stolen Cream LP tokens.
The attacker also used the DeFi exchange aggregator ParaSwap to convert tokens like AAVE and PERP for ETH and USDC. They also used Ren’s bridge to move over $6 million into BTC.
The total value locked on the protocol has shrunk by 72%, while the price of Cream’s native governance token CREAM has plummeted by around 27%, trading at $114 at the time of writing.
Notably, this isn’t the first time Cream Finance has been hit by a severe attack. The protocol lost $34 million in a similar exploit only in August, though the attacker later returned a portion of the funds.
Editor’s note: This is a developing story and will be updated as details emerge.
Disclosure: At the time of writing, the author of this feature owned ETH and xSUSHI.