decrypt.co
The price of C.R.E.A.M., the token that powers an eponymous decentralized finance lending protocol, today crashed from $288 to $193 in just one hour following an apparent flash loan exploit that drained $37 million from the protocol. C.R.E.A.M.’s price is now $223.
No official confirmation of the attack has been given by Cream Finance, but the team tweeted to announce their awareness of a ‘potential exploit.’ More than two hours later, fellow DeFi protocol Alpha Finance announced it had also been the victim of an ‘exploit.’
We are aware of a potential exploit and are looking into this. Thank you for your support as we investigate.
— Cream Finance 🍦 (@CreamdotFinance) February 13, 2021
In an analysis of the attack, The Block’s crypto researcher, Igor Igamberdiev, concluded that experienced DeFi hackers hauled over $37.5 million in a complex and multi-step attack involving flash loans—instant crypto loans.
2/ They do this through two transactions and each time they lend the funds back into IronBank, receiving cySUSD.
3/ At some point exploiter took $1.8M USDC flash loan from Aave v2 and swapped USDC to sUSD using Curve. pic.twitter.com/fSheiqZ6lO
— Igor Igamberdiev (@FrankResearcher) February 13, 2021
The attackers took out crypto loans from lending protocols and then and then invested them into CREAM’s lending platform, Iron Bank. Iron Bank had been recently upgraded to enable collateral-free borrowing from Alpha Finance, and the exploiter received special derivatives tokens called cySUSD.
A Flash Loan Con
The exploiter took out enough loans that they got a tremendous amount of cySUSD tokens, which they could use to “borrow anything from IronBank,” tweeted Igamberdiev.
So the exploiter borrowed 13,244 ETH ($23.8 million), $3.6 million in US dollar stablecoin USDC, $5.6 million in US dollar stablecoin USDT and $4.2 million in a decentralized US dollar stablecoin, DAI. That amounts to about $37 million.
According to the blockchain trail, 1000 ETH ($1.8 million) was refunded to both Alpha’s protocol and Cream Finance, and another 320 ETH ($577,238) sent to Tornado, a privacy tool for Ethereum, and more yet to repay the massive loans necessary for the attack.
The tracker even used 100 ETH to fund a Gitcoin grant on Tornado, according to “pantsme,” a pseudonymous blockchain developer. The exploiter kept about $19.9 million for themselves.
Looks like only ~$23mil in $ETH stolen. Good guy exploiter even was nice enough to send some of that ETH back to Cream and Alpha. Even funded https://t.co/ihTTSzmEw3's Gitcoin grant with 100 ETH. Could have been worse.
— pantsme (@skumbagt) February 13, 2021
And the whole exploit cost just $14,754 in Ethereum gas fees to pull off.
Teething troubles
Alpha Finance since tweeted that the loophole has been patched, and Cream Finance also tweeted that "C.R.E.A.M. contracts and markets were investigated and found to be functioning as normal," but for many it's a reminder of the precariousness of DeFi protocols.
DeFi is susceptible to flash loan exploits like this. In a notable case before Christmas, the newly launched Warp Finance DeFi platform was taken for $7.7 million in stablecoins in another flash loan attack. And in one attack against crypto lending platform Compound, exploiters took home $89 million.
It’s clear, then, that more work needs to be done to prevent crypto from leaking out of the DeFi bucket.