Decentralized finance has come a long way over the last year, with new and innovative features constantly evolving and adapting to new projects and contracts. However exploits still occur, as was seen on Feb. 13.
Popular DeFi project CREAM saw a massive $37.5 million flash loan exploit take place on Saturday. While the story is still developing, the team announced the attack. They stated that they are working on a post mortem through relevant parties.
It appears the exploit took place using Alpha Homora through the borrowing of sUSD from IronBank.
While just how the exploiter managed to continuously lend double the amount of funds, it appears that 13,200 WETH, 3.6 million USDC, 5.6 million USDT, and 4.2 million DAI have been taken by the perpetrator.
Research analyst at The Block Igor Igamberdiev detailed on Twitter the process and how it unfolded:
It is believed that Alpha Labs has patched the issue. And while the funds were exploited through Alpha Hamora, an Ethereum protocol for leveraging your position in yield farming pools, the funds were borrowed by the exploiter.
Alpha Labs has since stated that they are working with YFI founder Andre Cronje and CREAM Finance to investigate the stolen funds. They say that a prime suspect has already been identified.
CREAM Dumps on Attack
Following the exploit on Alpha Hamora, CREAM saw a 40% decline in price. It fell from $285 to $173.
As one of the deployers, the price suffered a dramatic drop before seeing some recovery. CREAM has announced that everything is functioning as normal. The team re-started markets, and a post mortem will follow.
Sign of the Times
This hack comes as the number of attacks rises with the bitcoin bull cycle. On Jan. 26, a hacker exploited a system vulnerability on SushiSwap using the Badger DAO token DIGG. The hacker made off with 81 ETH, worth approximately $103,842 at the time.
Following a hack late in December 2020, Livecoin closed its doors permanently on Jan. 19. While the SushiSwap and Cream attacks seem to be simple exploits, the Livecoin case is different. The event looks to some to be an exit scam run by some of its principals. Technically, the event is interesting because the price of bitcoin on Livecoin reached $222,000 before the exchange shut down. Ethereum reached $6500 as well.
On Dec. 28, a white-hat hacker stole $3 million from Cover Protocol, only to return it a few hours later. In this case, the hacker used an infinite minting bug to create excess COVER tokens.