Yet again, Cream Finance skimmed by crooks: $130m in crypto assets stolen

Decentralized finance biz Cream Finance became further decentralized on Wednesday with the theft of $130m worth of crypto assets from its Ethereum lending protocol.

Cream (cream.finance and not creamfinance.com) reported the loss via Twitter, the third such incident for the loan platform this year.

"Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC," the Taiwan-based biz said. "The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address. No other markets were impacted."

Rendered as an acronym, C.R.E.A.M. stands for Crypto Rules Everything Around Me, and as noted the last time this occurred – when $18.8m in tokens were stolen a mere two months ago – that's a claim that's difficult to reconcile with the repeated looting of company coffers.

Lest we forget, the upstart, which currently has a market capitalization of about $66m based on the number of CREAM tokens in circulation, reportedly lost $37m in February.

DeFu - Decentralized f**kup

Decentralized Finance, or DeFi, is a way to conduct financial transactions without a central governing authority through the automated interaction of smart contracts – code that may or may not have bugs, but probably does.

PeckShield, a blockchain security company founded by Jiang Xuxian, former chief scientist of Qihoo 360, attributed the incident to a bug that the unidentified attacker was able to exploit.

"The hack is made possible due to a price manipulation bug in CREAM price oracle," said PeckShield via Twitter, referring to the mechanism used to look up asset price information in a decentralized system. "And this bug allows a directly transferred yDAI+yUSDC+yUSDT+yTUSD tokens to significantly increase yUSD pricePerShare, which allows for basically borrowing all funds in current lending pools."

• Thief milks CREAM Finance for $18m+ in cryptocurrency after spotting security bug
• OK, so you stole $600m-plus from us, how about you be our Chief Security Advisor, Poly Network asks thief
• $600m in cryptocurrencies swiped from Poly Network
• US proposes tracking digital cash and taxing it to pay for, you know, roads and stuff

The yUSD vault, based on the Yearn protocol, is a fund that consists of crypto coins tied to fiat currencies (e.g. Tether (USDT), USD Coin (USDC)) that accrues value from other transactions like interest, swap fees, and demand for tokens on which it's based.

The bug, according to Mudit Gupta, another blockchain security researcher, involves asset values that change too quickly for Cream to react.

A cunning plan

Gupta contends what happened was market manipulation, not oracle price manipulation.

"In price manipulation, you trick protocol into thinking something is worth more than it actually is," he said via Twitter. "Here, that didn't happen. The protocol was not tricked into an incorrect price. It always had correct pricing info."

Gupta, published a blog post analyzing the attack, which he described as particularly sophisticated and well executed.

"The summary of the attack is that the attacker borrowed $1.5bn of Yearn’s yUSD vault shares against $2bn worth of collateral," he explained. "They then doubled the value of the shares atomically by donating yUSD to the yearn vault. This meant that their debt on Cream became $3bn against a $2bn collateral. They can now default and take home a sweet $1bn profit. Cream only had $130m assets available for lending, so the attacker was limited to $130m profits."

Cream says the situation is now under control.

"With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them," the firm said via Twitter. "In the meantime, we've paused our v1 lending markets on Ethereum and we're in the process of putting together a post-mortem review."

"We apologize to our users and community for this unfortunate incident and thank you for your support." ®