Cream Finance has suffered yet another flash loan exploit, its third of the year, this time losing $130 million. The attacker used the lending markets on Ethereum C.R.E.A.M v1 to manipulate the price of yUSD and make off with the funds.
Cream Finance revealed on Oct 27 that it was subject to another hack. The team announced that they were investigating an exploit on C.R.E.A.M v1 on Ethereum, following up later with additional details on the incident. However, the team is yet to release a postmortem on the matter.
The lending markets on C.R.E.A.M v1 were exploited with the liquidity of $130 million stolen by the attacker using this address. The team has already identified the flaw and patched it, working with Yearn.Finance to do so. It has also paused the lending markets and is forming a postmortem on the incident.
The crypto community has not gone easy on Cream Finance, providing some insight into how the hacker cleverly executed the attack. Some developers pointed out that the attacker had left messages, with these messages saying that Aave and Iron Bank were “lucky.” The attacker even blatantly named the smart contract used as “Cream Finance Flash Loan Exploiter.”
Until the postmortem arrives, there will be little information on the matter. BlockSec, a blockchain security team, conducted an initial analysis of the attack, which shows how the hacker used the lending markets to manipulate the price of yUSD.
The attacker does not seem to have been identified, and users will be concerned about the exploit. This is not the first time Cream Finance has been exploited and is a reminder that some of the market’s most well-known DeFi protocols are still vulnerable.
Not the first Cream Finance hack, not the last DeFi hack
Cream Finance has suffered multiple attacks in the past, with the most recent occurring through a $25 million flash loan attack in late August 2021. That was the second of the now-three attacks that have occurred in 2021, with the first occurring in February that saw $37.5 million stolen.
Such incidents further put the spotlight on the security of DeFi protocols, which have long been the target of attackers. The popularity of DeFi platforms and the complexity of their design make the sector a lucrative target for tech-savvy attackers.
Cryptocurrency intelligence firm CipherTrade released a report in August 2021 that showed the DeFi market saw a record loss from attacks in 2021, totaling approximately $474 million between January and July 2021. Such attacks do not always spell doom and gloom for affected DeFi protocols, as several have recovered following such incidents.