CREAM Finance Exploited Again, This Time for $130 Million

DeFi lending protocol Cream Finance has been attacked again, this time to the tune of US$130 million, in what is its third and biggest hack by far.

Flash Loan Attack on 68 Different Assets

As highlighted by blockchain security firm PeckShield, the attacker managed to exploit the platform through a flash loan attack that involved at least 68 different assets and cost around 9 ETH. Of the estimated US$130 million drained, at press time US$92 million was held in the attacker’s contract while US$22 million was held by the contract creator’s address. 

Cream Finance confirmed the event on October 27, revealing that the C.R.E.A.M. v1 marketplace on Ethereum had been attacked. The hacker took mostly Cream LP tokens and some other ERC-20 tokens: 

However, it appears that Yearn Finance, a group of DeFi protocols running on the Ethereum blockchain, had salvaged US$9.42 million from the hacker:

Third-Biggest Hack in DeFi History

A few months ago, Cream Finance suffered its second flash loan exploit in which it lost US$19 million. While the team promised to pay back its affected users, it’s unclear as to whether there’s going to be another compensation program.

This hack positions Cream Finance among the biggest DeFi hacks in history. And while Rekt’s leaderboard has not been updated, this attack relegates EasyFi’s US$59 million exploit to fourth spot, while Poly Network and Compound are at the top.

Compound has also been hit hard by malicious actors. As Crypto News Australia reported earlier this month, Compound Labs suffered its second major blow after another bug in the platform was found, putting US$162 million at risk.

DeFi hacks accounted for 76 percent of cyberattacks in 2021, causing users to lose more than US$470 million in DeFi platforms. This clearly suggests that while the space is an emerging ecosystem full of opportunities, there is cause for caution as it’s also a lucrative target for malicious actors.