Oct. 28, 2021: C.R.E.A.M.-ed 📉💥

$130MM Drained in Third Largest DeFi Hack

Chaos Rule Everything Around Me

Cream Finance 🍦 @CreamdotFinance

Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address: etherscan.io/address/0x2435… No other markets were impacted.

8:17 PM ∙ Oct 27, 2021

---

C.R.E.A.M. was exploited for $130MM worth of tokens in a major hack that will land in the bronze medal spot on Rekt.

Lark Davis @TheCryptoLark

Third time that Cream has been hacked, this time it was hit for 130 million!!!! Ouch, one of the biggest #crypto #defi hacks ever. Always use insurance.

decrypt.coCream Finance Suffers Third Hack, Loses Over $130 Million - DecryptCream Finance, a DeFi lending protocol, has been hacked for over $130 million—marking the third hack suffered by the protocol.

12:27 AM ∙ Oct 28, 2021

---

Or if you prefer to count by total lifetime hack volume, it would shoot into second place. C.R.E.A.M. has been already been hacked at least 3 times, with some users recalling even more.

Early returns on our poll suggest the easiest path to wealth in 2021 is not a bag of SHIBA, but simply hacking the porous protocol.

What exactly happened in this case? Early analysis suggests it was a flash loan attack that manipulated the price of the $yUSD vault. The most comprehensive thread we’ve found belongs to @Mudit__Gupta.

Mudit Gupta @Mudit__Gupta

Cream hack early analysis - 1. Using account A, Flash Borrow 500m DAI 2. Deposit 500m dai into yDAI 3. Deposit ~500m yDAI into yUSD 4. Deposit ~500m yUSD into yUSDVault 5. Mint ~$500m crYUSD (it used yUSDVault as underlying)

4:42 PM ∙ Oct 27, 2021

---

More details to come, but the analysis suggests the attack may have been executed by DeFi devs, leading to plenty of rumors that this was an inside job.

Mudit Gupta @Mudit__Gupta

I have so much to say about the cream hack. Twitter threads aren't gonna cut it. Expect a blog post soon. This was a cleanly executed attack. Fun to analyze. *puts on tinfoil hat*: Two people involved, shared account. Attackers are DeFi devs, not traditional security folks. gn

7:47 PM ∙ Oct 27, 2021

---

Another great analysis by PeckShield illustrates the specific mechanics of how the hack went down.

PeckShield Inc. @peckshield

3/4 To illustrate, we use the hack tx and show the key steps below:

4:36 PM ∙ Oct 27, 2021

---

The breakdown of tokens stolen is something to behold. Lots of ETH and altcoins.

SlowMist @SlowMist_Team

BREAKING: Ethereum DeFi protocol @CreamdotFinance hacked for more than $130 million. According to SlowMist AML statistics, the hacker has profited a total of 2760.22 ETH and 60 tokens including HBTC, USDT, BUSD, etc. SlowMist will continue to monitor the transfer of stolen funds.

4:27 PM ∙ Oct 27, 2021

---

You can browse the hacker addresses yourself if you want to peer in on the action:

Steven @Dogetoshi

Over $100M CREAM hack. Below are the hacker's addresses. etherscan.io/address/0x2435… etherscan.io/address/0x961d…

2:29 PM ∙ Oct 27, 2021

---

The proceeds includes at least $10MM in Curve, mostly in $CRV but also some in pool tokens.

SlowMist @SlowMist_Team

In addition, there are more than $60 million of funds staked in Uniswap, SushiSwap, Curve and other DeFi protocols. #SlowMist #AML #MistTrack

5:10 PM ∙ Oct 27, 2021

---

Of course, Curve has no known censorship mechanisms, so it’s not out of the question that the hacker is furiously poring through Curve Market Cap reruns trying to figure out the best way to optimize yield on this fat stack. If so, please consider a subscription. All proceeds go to support PAC DAO crypto activism.

DefiMoon 🦇🔊 @DefiMoon

So.... the $Cream flash-thief got his greasy paws on 165k $CRV, what will they do with it? 🤔

SlowMist @SlowMist_Team

BREAKING: Ethereum DeFi protocol @CreamdotFinance hacked for more than $130 million. According to SlowMist AML statistics, the hacker has profited a total of 2760.22 ETH and 60 tokens including HBTC, USDT, BUSD, etc. SlowMist will continue to monitor the transfer of stolen funds. https://t.co/eLPMz3YEII

7:50 PM ∙ Oct 27, 2021

---

Thankfully the damage appears limited to C.R.E.A.M. The Yearn team is assisting with the investigation and helping conduct a post mortem.

Cream Finance 🍦 @CreamdotFinance

With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we've paused our v1 lending markets on Ethereum and we're in the process of putting together a post-mortem review.

8:17 PM ∙ Oct 27, 2021

---

As always, throughout the process the Ethereum blockchain did double duty as a rare censorship-resistant social network. The full archive of messages is a chuckle:

Alice (💀, 💀) @0xAlice_

$CREAM Hack: Messages to the hacker Now live at pentacle.xyz/bad-things-cre…

8:33 PM ∙ Oct 27, 2021

---

One interesting question is the role of DeFi insurance in hacks of such magnitude.

Papi🌗 @CryptoKnight944

Kinda interested to see what happens as a result of the cream hack. Is smart contract insurance really gonna cover a 1 billion $ hack?

4:27 PM ∙ Oct 27, 2021

---

It’s a question I commonly receive, but I have zero practical experience with DeFi insurance. I like to live dangerously… or more precisely… “Sorry ser, we don’t insure wallets of such modest backgrounds.”

In this case a relatively small number of people likely purchased insurance, so it’s not likely to break the bank. Yet C.R.E.A.M. has over $2 billion in value locked. In a scenario in which many more people purchased DeFi insurance and a major hack went down, it’s hard to imagine how insurance would cover a massive attack.

It’s a reminder to stay safe out there. If you don’t protect yourself, Uncle Sam might “protect” you instead, and nobody yet sells insurance for that.

---

Read Disclaimers!