{"id":36402,"date":"2021-02-13T16:00:10","date_gmt":"2021-02-13T14:00:10","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=36402"},"modified":"2025-08-29T06:11:17","modified_gmt":"2025-08-29T03:11:17","slug":"hacker-drains-37-5-million-from-cream-finance-defi-protocol","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hacker-drains-37-5-million-from-cream-finance-defi-protocol\/","title":{"rendered":"Hacker drains $37.5 million from Cream Finance DeFi protocol"},"content":{"rendered":"<p>The attacker exploited a vulnerability in the Iron Bank DeFi protocol (Cream Finance&#8217;s second version) and withdrew tokens totaling $37.5 million.<!--more--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"und\"><a href=\"https:\/\/t.co\/C8cMhz4dnG\">https:\/\/t.co\/C8cMhz4dnG<\/a><\/p>\n<p>\u2014 Cream Finance \ud83c\udf66 (@CreamdotFinance) <a href=\"https:\/\/twitter.com\/CreamdotFinance\/status\/1360537996995354625?ref_src=twsrc%5Etfw\">February 13, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote>\n<p>&#8220;We are aware of the potential vulnerability and are studying it. Thank you for your support in our investigation,&#8221; said representatives of Cream Finance.<\/p>\n<\/blockquote>\n<p>The Block analyst Igor Igamberdiev tallied $37.5 million in losses for the project due to the exploit. He also outlined the hacker&#8217;s sequence of actions.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">IronBank ($CREAM) was exploited on $37.5M, let\u2019s take a quick look at what happened.\ud83d\udc47<\/p>\n<p>1\/ Attacker used Alpha Homora for borrowing sUSD from IronBank.<br \/>\nEach time they borrow twice as much as in the previous one.<\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1360513422689984512?ref_src=twsrc%5Etfw\">February 13, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote>\n<p>&#8220;The attacker used Alpha Homora to borrow funds from IronBank. Each time he borrowed twice as much as in the previous case&#8221;.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">2\/ They do this through two transactions and each time they lend the funds back into IronBank, receiving cySUSD.<\/p>\n<p>3\/ At some point exploiter took $1.8M USDC flash loan from Aave v2 and swapped USDC to sUSD using Curve. <a href=\"https:\/\/t.co\/fSheiqZ6lO\">pic.twitter.com\/fSheiqZ6lO<\/a><\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1360513427391860736?ref_src=twsrc%5Etfw\">February 13, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote>\n<p>&#8220;He did this via two transactions, each time lending the funds back into IronBank and receiving cySUSD.&#8221;<\/p>\n<\/blockquote>\n<p>After this he deposited the sUSD into IronBank. This allowed the hacker to continue borrowing and supplying funds, ending up with cySUSD.<\/p>\n<blockquote>\n<p>&#8220;Of course, some sUSD were spent on repaying the flash loan,&#8221; the researcher noted.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">6\/ Also, a $10 million flash loan is taken, which is also used to increase the number of cySUSD.<\/p>\n<p>7\/ In the end, the number of their cySUSD reaches an incredible amount, which allows them to borrow anything from IronBank. <a href=\"https:\/\/t.co\/2UfB1cSu0u\">pic.twitter.com\/2UfB1cSu0u<\/a><\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1360513434580836352?ref_src=twsrc%5Etfw\">February 13, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote>\n<p>&#8220;A $10 million flash loan was taken, which was also used to increase the number of cySUSD. In the end, cySUSD in his possession reached such a level that it allowed borrowing anything from IronBank&#8221;.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">8\/ Then they borrow:<br \/>\n\u2014 13.2k WETH<br \/>\n\u2014 3.6M USDC<br \/>\n\u2014 5.6M USDT<br \/>\n\u2014 4.2M DAI <a href=\"https:\/\/t.co\/T7VN2S0D0U\">pic.twitter.com\/T7VN2S0D0U<\/a><\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1360513440729731073?ref_src=twsrc%5Etfw\">February 13, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Then the hacker borrowed:<\/p>\n<ul>\n<li>13,200 WETH;<\/li>\n<li>$3.6 million USDC;<\/li>\n<li>$5.6 million USDT;<\/li>\n<li>$4.2 million DAI.<\/li>\n<\/ul>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">9\/ Stablecoins have been deposited to Aave v2,<br \/>1k ETH to IronBank deployer,<br \/>1k ETH to Homora deployer,<br \/>220 ETH to Tornado,<br \/>100 ETH granted to Tornado<br \/>and almost 11k ETH remain on the exploiter balance.<a href=\"https:\/\/t.co\/nctC08rg3W\">https:\/\/t.co\/nctC08rg3W<\/a> <a href=\"https:\/\/t.co\/MFYWZ46aVi\">pic.twitter.com\/MFYWZ46aVi<\/a><\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1360513446454861829?ref_src=twsrc%5Etfw\">February 13, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>After this he deposited stablecoins to various services, including Aave (v2) and Alpha Homora (1000 ETH). Almost 11 000 ETH remained at the hacker&#8217;s address, 100 ETH donated to Tornado.Cash, and 1000 ETH sent to the IronBank contract address.<\/p>\n<blockquote>\n<p>&#8220;Of course, some sUSD were spent on repaying the flash loan,&#8221; the researcher noted.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">6\/ Also, a 10M USD flash loan is taken, which is also used to increase the number of cySUSD.<\/p>\n<p>7\/ In the end, the number of their cySUSD reaches an incredible amount, which allows them to borrow anything from IronBank&#8221;.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">8\/ Then they borrow:<br \/>\n\u2014 13.2k WETH<br \/>\n\u2014 3.6M USDC<br \/>\n\u2014 5.6M USDT<br \/>\n\u2014 4.2M DAI <a href=\"https:\/\/t.co\/T7VN2S0D0U\">pic.twitter.com\/T7VN2S0D0U<\/a><\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1360513440729731073?ref_src=twsrc%5Etfw\">February 13, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>\u041d\u0430 \u0444\u043e\u043d\u0435 \u043f\u0440\u043e\u0438\u0437\u043e\u0448\u0435\u0434\u0448\u0435\u0433\u043e \u043e\u043d \u0434\u0435\u043f\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043b \u0441\u0442\u0435\u0439\u0431\u043b\u043a\u043e\u0438\u043d\u044b \u043d\u0430 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0435 \u0441\u0435\u0440\u0432\u0438\u0441\u044b, \u0432\u043a\u043b\u044e\u0447\u0430\u044f Aave (v2) \u0438 Alpha Homora (1000 ETH). \u041f\u043e\u0447\u0442\u0438 11 000 ETH \u043e\u0441\u0442\u0430\u043b\u0438\u0441\u044c \u043d\u0430 <a href=\"https:\/\/etherscan.io\/address\/0x905315602ed9a854e325f692ff82f58799beab57\" target=\"_blank\" rel=\"noopener\">\u0430\u0434\u0440\u0435\u0441\u0435 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430<\/a>, 100 ETH \u043e\u043d \u043f\u043e\u0436\u0435\u0440\u0442\u0432\u043e\u0432\u0430\u043b \u0441\u0435\u0440\u0432\u0438\u0441\u0443 \u043c\u0438\u043a\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f Tornado.Cash, \u0430 1000 ETH \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u043b \u043d\u0430 \u0430\u0434\u0440\u0435\u0441 \u043a\u043e\u043d\u0442\u0440\u0430\u043a\u0442\u0430 IronBank.<\/p>\n<p>\u041d\u0430 \u0444\u043e\u043d\u0435 \u043f\u0440\u043e\u0438\u0437\u043e\u0448\u0435\u0434\u0448\u0435\u0433\u043e \u0446\u0435\u043d\u0430 \u0442\u043e\u043a\u0435\u043d\u0430 CREAM <a href=\"https:\/\/www.coingecko.com\/en\/coins\/cream\" target=\"_blank\" rel=\"noopener\">\u0443\u043f\u0430\u043b\u0430 \u0441 \u043e\u0442\u043c\u0435\u0442\u043e\u043a \u0432 \u0440\u0430\u0439\u043e\u043d\u0435 $290 \u0434\u043e $220<\/a>.<\/p>\n<p>Earlier, on February 5, an unknown hacker drained $2.8 million from the yEarn.Finance pool. The DeFi project <a href=\"https:\/\/forklog.com\/en\/news\/yearn-finance-reimbursed-losses-to-the-v1-ydai-pool-after-attack\">reimbursed the pool&#8217;s losses<\/a> as a result of the attack.<\/p>\n<p>Subscribe to ForkLog on <a href=\"https:\/\/www.youtube.com\/channel\/UCC9FnXTC8_ENzaNSO5cHQ6g\" target=\"_blank\" rel=\"nofollow noopener\"> YouTube<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The attacker exploited a vulnerability in the Iron Bank DeFi protocol (Cream Finance&#8217;s v2) and withdrew tokens totaling $37.5 million.<\/p>\n","protected":false},"author":1,"featured_media":36403,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[2101,1093],"class_list":["post-36402","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cream-finance","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"30","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/36402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=36402"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/36402\/revisions"}],"predecessor-version":[{"id":36404,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/36402\/revisions\/36404"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/36403"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=36402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=36402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=36402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}