Introduction
Table of Contents
On October 27, 2021, Cream Finance, a prominent decentralized lending protocol on the Ethereum blockchain, experienced a critical exploit that resulted in a massive security breach.
This breach led to the theft of over $136 million worth of crypto assets from the C.R.E.A.M. v1 lending markets. Notably, the stolen assets comprised largely of ERC-20 coins and C.R.E.A.M. Liquidity Protocol tokens.
In this report, we will delve into the background of Cream Finance, shed light on its prior vulnerabilities, provide detailed insights into the recent exploit, examine its root cause, and discuss the subsequent remedial actions taken by Cream Finance.
What is Cream Finance?
Cream Finance operates as a decentralized lending and borrowing protocol on the Ethereum blockchain. Its primary function is to enable users to lend out their assets and earn interest or borrow assets by keeping collateral.
Over time, Cream Finance has become a significant player in the Decentralized Finance (DeFi) space.
History of Cream Finance Exploits
Cream Finance hasn’t had a smooth run throughout its journey. The year 2021 saw Cream Finance at the receiving end of multiple attacks:
February 13, 2021: Alpha Homora, a leverage liquidity protocol, suffered a flash loan attack that targeted Cream Finance’s Iron Bank Service. The attack led to a loss of $37 million from Alpha Homora.
August 3, 2021: A reentrancy attack was executed against Cream Finance. This attack involved a bug in the smart contract, allowing the attacker to loop withdrawal requests. The primary exploit resulted in the loss of 462,079,976 AMP tokens and 2,804.96 ETH.
The recurrence of these attacks underlines Cream Finance’s vulnerabilities and challenges in maintaining users’ trust.
Key Details of the Exploit
Initial Breach
The attacker initiated the exploit by borrowing a staggering $500 million DAI from MakerDao. The subsequent chain of actions involved leveraging Yearn vaults, Curve pools, and finally, exploiting Cream Finance’s lending system.
Vulnerability Exploited
The attacker identified and exploited a flaw in the platform’s lending system. This vulnerability allowed the attacker to manipulate Cream Finance’s assets and tokens, draining a significant portion of its liquidity.
Addresses Involved:
- Address A: 0x961d2b694d9097f35cfffa363ef98823928a330d
- Address B: 0xf701426b8126bc60530574cecdcb365d47973284
- Attacker’s Address: 0x24354d31bc9d90f62fe5f2454709c32049cf866b
- Additional involved addresses: 0x921760e71fb58dcc8DE902cE81453E9e3D7fe253 and 0x70747df6AC244979A2ae9CA1e1A82899d02bbea4.
Detailed Analysis of the Exploit
Address A (0x961d2b694d9097f35cfffa363ef98823928a330d):
- Borrowed $500 million DAI from MakerDao.
- Deposited the DAI into the yDAI Yearn vault, obtaining 500 yDAI.
- Deposited the yDAI into yUSD Curve pool to attain yUSD.
- Deposited the yUSD into the yUSD Yearn vault, boosting its balance to $511 million.
- Supplied yUSDVault into C.R.E.A.M., receiving $500 million cryUSD. Address B (0xf701426b8126bc60530574cecdcb365d47973284):
- Borrowed $2 billion Ethereum via a flash loan.
- Deposited the Ethereum into C.R.E.A.M., securing $2 billion cEther as collateral.
- Borrowed $500 million yUSDVault using the cEther collateral.
- Repeated this process, borrowing and transferring funds to Address A, increasing its balance.
- Used Address A to purchase $3 million DUSD from Curve, then burned the DUSD to unlock underlying collateral.
- Managed a manipulation to make C.R.E.A.M. believe the value of assets in Address A was doubled. Used this inflated collateral to borrow more assets.
Final Transaction Flow
The attacker, having manipulated the perceived value of assets, borrowed $2 billion ETH using the inflated collateral in Address A.
After repaying the flash loans with ETH and yUSD, the attacker leveraged the remaining collateral to withdraw about $136 million from C.R.E.A.M.
End Results
The attacker’s primary address, 0x24354d31bc9d90f62fe5f2454709c32049cf866b, accumulated the stolen funds post-hack. The assets were then redistributed between two addresses: 0x921760e71fb58dcc8DE902cE81453E9e3D7fe253 and 0x70747df6AC244979A2ae9CA1e1A82899d02bbea4.
The following tokens were stolen:
| Token Name | Token Value | USD Price | Token Value USD |
| Ether | 2,760.22 | $4,152.57 | $41,451,415.95 |
| FEI | 3,817,374.50 | $1.00 | $11,462,007.56 |
| DPI | 15,567.58 | $355.48 | $8,482,951.78 |
| BUSD | 510,018.97 | $1.00 | $8,109,199.33 |
| USDC | 1,690,395.70 | $1.00 | $7,636,531.34 |
| USDT | 3,780,808.76 | $1.00 | $5,533,924.98 |
| HBTC | 20.08 | $60,603.80 | $5,256,796.16 |
| WBTC | 32.73 | $60,603.80 | $4,162,514.11 |
| bBADGER | 48,361.42 | $35.61 | $3,817,374.50 |
| renBTC | 23.26 | $60,279.93 | $3,780,808.76 |
| OCEAN | 1,272,378.57 | $0.93 | $3,103,966.83 |
| OGN | 1,067,935.59 | $0.88 | $2,856,501.72 |
| FRAX | 782,197.34 | $1.00 | $2,449,223.86 |
| AAVE | 2,190.16 | $329.16 | $2,090,847.54 |
| UST | 803,779.11 | $1.00 | $1,983,503.41 |
| YFI | 35.07 | $37,544.01 | $1,919,269.40 |
| BAL | 27,962.14 | $24.51 | $1,722,314.49 |
| COMP | 275.1 | $342.57 | $1,690,395.70 |
| yDAl+yUSDC+yUSDFITUSD | 166,322.91 | $1.00 | $1,402,155.38 |
| LINK | 11,790.56 | $32.45 | $1,327,568.87 |
| CRV | 165,940.54 | $4.61 | $1,325,841.97 |
| MTA | 283,272.63 | $0.97 | $1,316,700.36 |
| SUSHI | 116,602.96 | $11.39 | $1,217,081.84 |
| FTX | 38,922.15 | $62.93 | $1,178,742.41 |
| SRM | 109,383.94 | $7.63 | $937,404.61 |
| UNI | 156,629.16 | $26.58 | $834,170.69 |
| wNXM | 135,402.94 | $59.89 | $803,779.11 |
| CEL | 54,380.22 | $4.87 | $782,197.34 |
| BOND | 899.86 | $28.67 | $765,601.16 |
| KP3R | 871.6 | $383.96 | $721,689.67 |
| HFIL | 4,914.34 | $62.45 | $720,921.12 |
| CRETH2 | 12,266.46 | $3,379.25 | $685,226.96 |
| DAI | 1,325,841.97 | $1.00 | $510,018.97 |
| HEGIC | 538,952.21 | $0.14 | $495,000.38 |
| ESD | 2,821,793.10 | $0.03 | $485,808.79 |
| 1INCH | 64,359.29 | $3.95 | $431,257.71 |
| OMG | 7,815.94 | $14.17 | $382,623.63 |
| xSUSHI | 623,760.53 | $13.60 | $334,657.28 |
| SLP | 611.57 | $0.07 | $306,911.19 |
| SLP | 3,085.26 | $0.07 | $297,730.75 |
| SLP | 16.6 | $0.07 | $273,620.81 |
| PICKLE | 76.07 | $9.68 | $264,608.39 |
| AKRO | 3,203,107.70 | $0.04 | $254,128.23 |
| ALPHA | 194,020.72 | $1.10 | $213,422.95 |
| FTM | 137,235.69 | $3.14 | $166,322.91 |
| RUNE | 418,917.29 | $12.55 | $117,434.56 |
| PERP | 447,222.59 | $17.08 | $110,788.82 |
| yvCurve-lronBank | 480,582.89 | $1.03 | $94,240.96 |
| yvCurve-stETH | 747.48 | $4,152.57 | $86,450.33 |
| ARMOR | 1,515,737.12 | $0.20 | $84,841.04 |
| VSP | 488.51 | $6.69 | $77,338.17 |
| vVSP | 46,893.19 | $10.36 | $70,854.23 |
| GNO | 6,937.02 | $411.78 | $58,538.71 |
| SWAP | 79,792.24 | $1.08 | $53,983.79 |
| WOO | 578,182.81 | $1.25 | $25,798.56 |
| BNT | 12,804.66 | $4.22 | $3,266.82 |
| EURT | 1,656,508.17 | $1.16 | $2,576.60 |
| ibBTC | 0.98 | $59,674.65 | $735.95 |
| YGG | 341,681.58 | $6.12 | $216.39 |
| SAND | 3,103.00 | $0.83 | $42.89 |
| MANA | 86,956.33 | $0.81 | $1.16 |
| Total Losses: | $136,731,849.88 |
Root Cause and Attack Flow
Attack Transaction
The starting point of this exploit can be traced back to the transaction:
https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92
Attack Mechanics and Sequence
- Flash Mint: Attacker initiates a flash mint of $500 million DAI from MakerDAO.
- Yearn 4-Curve Pool: Deposits the DAI into Yearn 4-Curve pool.
- Yearn yUSD Vault: The Yearn 4-Curve from the previous step is then deposited into Yearn yUSD vault.
- Cream yUSD Market: The yUSD from the previous step is deposited into Cream’s yUSD market.
- AAVE v2: Borrows over 500,000 Ether using a flash loan from AAVE v2.
- Ether Deposit: From a secondary smart contract (Account 2), the attacker deposits this Ether into Cream’s ETH market.
- yUSD Borrow and Deposit: The attacker borrows yUSD from Account 2 and deposits it into Account 1 as collateral. This action is performed twice.
- yUSD Transfer: The attacker then borrows yUSD from Account 2 and transfers it to Account 1.
- yUSD Vault Withdrawal: The attacker withdraws Yearn 4-Curve from yUSD vault.
- Manipulating the Oracle: The attacker sends $10 million of Yearn 4-Curve to yUSD vault, exploiting the hybrid oracle and manipulating the price.
- Liquidity Drain: The attacker borrows all available liquidity using Account 1.
- Swaps: Converts stolen funds into DAI and WETH.
- Flash Loan Repayment: Withdraws DAI from Yearn 4-Curve to repay the DAI flash mint and the AAVE ETH flash loan.
- Profit Securing: The attacker ensures all profits are secure.
Root Causes
- Manipulatable Hybrid Oracle: At step 10, the attacker exploits a vulnerability in the easily manipulatable hybrid Oracle system.
- Uncapped Token Supply: In steps 7 and 8, the uncapped supply of a token allows the attacker to trick the protocol. By supplying the same asset multiple times, the system believes that much higher collateral is available.
Detailed Attack Dynamics
yUSD Contract Mechanism: The yUSD contract’s exchange rate is guided by the ratio of 4-Curve tokens that the yUSD vault can access, compared to the total yUSD tokens in circulation. By sending more Yearn 4-Curve tokens to the vault, the attacker artificially doubles the value of 4-Curve tokens accessible to yUSD. This manipulates the reported exchange rate of the vault, subsequently altering the value the Oracle reports for the yUSD token.
Aftermath of Increased Exchange Rate
- Account 1: $3 billion in collateral and no borrowing.
- Account 2: $2 billion in collateral, $3 billion in debt, effectively insolvent.
- The attacker has debts of $2 billion in ETH and $500 million in DAI.
- The attacker possesses an excess of $500 million in value, enough to drain the protocol.
Repayment and Profit
Post-manipulation, the attacker borrows back the supplied ETH to repay the AAVE flash loan. The remaining over-collateralized collateral (approx. $1 billion) allows the attacker to borrow and drain the last $130 million of liquid collateral in the protocol’s lending markets.
After converting the stolen collateral to sufficient DAI and ETH to clear flash borrowing, the exploit gets completed.
The profits from this attack were divided between two wallets, suggesting a possible collaboration between two attackers.
Remedies Taken by Cream Finance
In the aftermath of the exploit, Cream Finance adopted multiple strategies to contain the damage and prevent further exploits:
- Suspended all interactions with Ethereum v1 markets.
- Locked crTokens on Cream Ethereum v1 markets, making further transfers of crTokens impossible.
- Stopped supply/borrowing of all wrappable tokens, including all PancakeSwap LP tokens.
- Initiated a dialogue with the attacker, urging the return of users’ funds and offering a bug bounty for cooperation.
Conclusion
The recurring attacks on Cream Finance emphasize the nascent nature of DeFi platforms and the inherent vulnerabilities that exist within smart contracts.
While the immediate remedial actions taken by Cream Finance were commendable, the series of events underscores the importance of comprehensive security measures in the rapidly evolving world of decentralized finance.