Cream Finance DeFi protocol hacked again
The decentralized Cream Finance protocol has been hacked once again. This was noted by The Block analyst Igor Igamberdiev.
Looks like @CreamdotFinance is dead boys pic.twitter.com/3LlWkonoOO
— Igor Igamberdiev (@FrankResearcher) October 27, 2021
The Cream Finance team estimated the damage from the attack at $130 million. Working with developers from yearn.finance, the administration managed to identify and patch the vulnerability. Further details were promised to be disclosed later.
With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them.
In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review.
— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021
According to Etherscan, an unknown actor used a flash loan in a complex transaction. The fee exceeded 9 ETH ($36,879 at the time). Most of the stolen assets consisted of Cream Finance liquidity-provider tokens and other ERC-20 coins.
The hacker also left a message: “Baave was lucky, Iron Bank was lucky, Cream isn’t.” Likely referring to the Aave, Iron Bank and Cream Finance projects.
Representatives of the project said they are studying the exploit and will disclose details as they become available.
We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.
— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021
According to The Block, the loss amounted to more than $130 million.
As of writing, the project’s token had fallen 28.1% in the last hour, according to CoinGecko.
PeckShield, the analytical firm, said that the attack was made possible by an error that “allows borrowing all funds in the current lending pools.”
2/4 The hack is made possible due to a price manipulation bug in CREAM price oracle. And this bug allows a directly transferred yDAI+yUSDC+yUSDT+yTUSD tokens to significantly increase yUSD pricePerShare, which allows for basically borrowing all funds in current lending pools. pic.twitter.com/oETHCPiuWi
— PeckShield Inc. (@peckshield) October 27, 2021
As a reminder, in February an unknown attacker exploited a vulnerability in the Iron Bank protocol (Cream Finance’s second version) and withdrawn tokens worth $37.5 million.
On August 30, the Cream Finance DeFi protocol came under attack with the use of a flash loan. The damage amounted to 462 079 976 AMP and 2 804 ETH (more than $18 million).
On September 8, the hacker transferred to the project’s multisig wallet the majority of the stolen sum amounting to 5 152.6 ETH.
In early October, developers confirmed that the project had recovered 5 152.6 ETH. The hacker was allowed to keep 10% of the stolen funds – about 515 ETH – as a reward for the bug.
Follow ForkLog news on VK!
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!