cryptobriefing.com
Cream Finance was drained of $37.5 million earlier this morning.
Cream Finance Exploited
The DeFi space has suffered yet another attack.
This time, the Cream Finance protocol was affected. The team confirmed that it was investigating “a potential exploit” on Twitter earlier this morning.
We are aware of a potential exploit and are looking into this. Thank you for your support as we investigate.
— Cream Finance 🍦 (@CreamdotFinance) February 13, 2021
The attacker targeted Cream’s Iron Banks contract.
An Etherscan transaction shows that they drained the protocol of around $37.5 million. A large chunk of that sum was a loan of 13,244 ETH.
A trail of activity shows that they sent some ETH through Tornado.cash, a privacy solution that helps Ethereum users conceal their transaction history. They also appear to have sent 1,000 ETH to both the Alpha Finance Lab deployer and Cream Finance deployer.
The attack was carried out through a complex multi-step process that suggests the perpetrator was an experienced DeFi native. They used the Alpha Homora protocol, which integrates Cream, to borrow sUSD. They then lent these funds back to Iron Bank to receive cySUSD. They also took out large flash loans from Aave to increase their cySUSD holdings. With that, they were able to borrow the 13,244 ETH, $4,263,139 worth of DAI, $3,997,921 worth of USDC, and $5,647,242 worth of USDT.
They deposited some funds to Aave, 1,000 ETH to Iron Bank and Alpha Homora, and 320 ETH was sent to Tornado.cash. That leaves just under 10,925 ETH in their wallet, worth roughly $20 million. Their funds can be viewed on Etherscan. They did it all for a transaction fee of 0.67 ETH, around $1,274.
It’s yet another case study that shows DeFi is still in its nascent stages. As such, experimenting with this technology is highly risky.