Cream Finance Hack: $130 Million Stolen in Exploit

Summary

On October 27, 2021, Cream Finance, a decentralized finance (DeFi) platform, fell victim to a sophisticated attack resulting in the theft of $130 million worth of cryptocurrency. The attacker exploited vulnerabilities in Cream Finance’s lending pool contract and manipulated the price oracle, allowing them to carry out a series of orchestrated transactions that ultimately drained the protocol of its liquidity.

Attackers

The attackers remain unidentified.

Losses

$130M USD

Timeline

Security Failure Causes

  • Uncapped Token Supply: Cream Finance allowed users to supply tokens without strict limits, making it susceptible to manipulation. The attacker leveraged this design flaw by repeatedly supplying the same asset, artificially inflating the collateral value and triggering additional borrowing capacity.
  • Oracle Vulnerability: The use of an easily manipulatable hybrid oracle exacerbated the attack. The oracle, based on the Yearn 4-Curve pool’s assets, allowed the attacker to double the value of certain tokens, leading to significant distortions in the protocol’s health calculations. The protocol relied on this oracle to determine the value of collateral and borrowed tokens.
  • Lack of Reentrancy Guard: Cream Finance lacked a protocol-level reentrancy guard, leaving it vulnerable to reentrancy attacks. This deficiency enabled the attacker to execute a series of complex transactions with precision.