The attacker exploited a vulnerability in the Iron Bank DeFi protocol (Cream Finance’s second version) and withdrew tokens totaling $37.5 million.
— Cream Finance 🍦 (@CreamdotFinance) February 13, 2021
“We are aware of the potential vulnerability and are studying it. Thank you for your support in our investigation,” said representatives of Cream Finance.
The Block analyst Igor Igamberdiev tallied $37.5 million in losses for the project due to the exploit. He also outlined the hacker’s sequence of actions.
IronBank ($CREAM) was exploited on $37.5M, let’s take a quick look at what happened.👇
1/ Attacker used Alpha Homora for borrowing sUSD from IronBank.
Each time they borrow twice as much as in the previous one.— Igor Igamberdiev (@FrankResearcher) February 13, 2021
“The attacker used Alpha Homora to borrow funds from IronBank. Each time he borrowed twice as much as in the previous case”.
2/ They do this through two transactions and each time they lend the funds back into IronBank, receiving cySUSD.
3/ At some point exploiter took $1.8M USDC flash loan from Aave v2 and swapped USDC to sUSD using Curve. pic.twitter.com/fSheiqZ6lO
— Igor Igamberdiev (@FrankResearcher) February 13, 2021
“He did this via two transactions, each time lending the funds back into IronBank and receiving cySUSD.”
After this he deposited the sUSD into IronBank. This allowed the hacker to continue borrowing and supplying funds, ending up with cySUSD.
“Of course, some sUSD were spent on repaying the flash loan,” the researcher noted.
6/ Also, a $10 million flash loan is taken, which is also used to increase the number of cySUSD.
7/ In the end, the number of their cySUSD reaches an incredible amount, which allows them to borrow anything from IronBank. pic.twitter.com/2UfB1cSu0u
— Igor Igamberdiev (@FrankResearcher) February 13, 2021
“A $10 million flash loan was taken, which was also used to increase the number of cySUSD. In the end, cySUSD in his possession reached such a level that it allowed borrowing anything from IronBank”.
8/ Then they borrow:
— 13.2k WETH
— 3.6M USDC
— 5.6M USDT
— 4.2M DAI pic.twitter.com/T7VN2S0D0U— Igor Igamberdiev (@FrankResearcher) February 13, 2021
Then the hacker borrowed:
- 13,200 WETH;
- $3.6 million USDC;
- $5.6 million USDT;
- $4.2 million DAI.
9/ Stablecoins have been deposited to Aave v2,
1k ETH to IronBank deployer,
1k ETH to Homora deployer,
220 ETH to Tornado,
100 ETH granted to Tornado
and almost 11k ETH remain on the exploiter balance.https://t.co/nctC08rg3W pic.twitter.com/MFYWZ46aVi— Igor Igamberdiev (@FrankResearcher) February 13, 2021
After this he deposited stablecoins to various services, including Aave (v2) and Alpha Homora (1000 ETH). Almost 11 000 ETH remained at the hacker’s address, 100 ETH donated to Tornado.Cash, and 1000 ETH sent to the IronBank contract address.
“Of course, some sUSD were spent on repaying the flash loan,” the researcher noted.
6/ Also, a 10M USD flash loan is taken, which is also used to increase the number of cySUSD.
7/ In the end, the number of their cySUSD reaches an incredible amount, which allows them to borrow anything from IronBank”.
8/ Then they borrow:
— 13.2k WETH
— 3.6M USDC
— 5.6M USDT
— 4.2M DAI pic.twitter.com/T7VN2S0D0U— Igor Igamberdiev (@FrankResearcher) February 13, 2021
На фоне произошедшего он депонировал стейблкоины на различные сервисы, включая Aave (v2) и Alpha Homora (1000 ETH). Почти 11 000 ETH остались на адресе злоумышленника, 100 ETH он пожертвовал сервису микширования Tornado.Cash, а 1000 ETH отправил на адрес контракта IronBank.
На фоне произошедшего цена токена CREAM упала с отметок в районе $290 до $220.
Earlier, on February 5, an unknown hacker drained $2.8 million from the yEarn.Finance pool. The DeFi project reimbursed the pool’s losses as a result of the attack.
Subscribe to ForkLog on YouTube!