Ethereum defi protocol Cream Finance suffered an exploit yesterday that allowed attackers to steal $130 million from its holdings. The news was first revealed by Peckshield, a blockchain analytics company that discovered a flash loan had exploited the platform. This is the third hack the protocol has suffered in its history, being exploited for $36 and $29 million before, respectively.
Cream Finance Hacked Yet Again
Cream Finance, an Ethereum-based lending and borrowing protocol, suffered an exploit that allowed the hackers to steal $130 million worth of ether and ERC-20 tokens. According to Slowmist, a blockchain security organization, the attack netted 2,760.22 ether and 60 tokens including HBTC, USDT, BUSD, and others. The attack was perpetrated in the form of a series of flash loans in a very unorthodox way, which has led some to think the hacker was an experienced defi developer.
Another blockchain security firm, Peckshield, broke the news, linking to the flash loan that caused the hack via Twitter. The firm supposed the attack was possible due to a bug in a price oracle. The Cream team quickly acknowledged the situation, informing users about the hack. They also stated:
With the help of friends from Yearn Finance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review.
The Cream Finance team has since been trying to communicate with the hackers, offering to give them 10% of all the tokens that were lost. This is a known strategy that has paid off for some protocols that have been exploited in the past. Still, no response has been received.
The exploit transaction carries an enigmatic message that seems to point in the direction of this being a directed action against the protocol. The message, that also mentioned other protocols, stated:
gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.
This is not the first time that Cream has been exploited. The protocol has a rather bad record, having been exploited three times during this year. The first time, in February, the protocol’s Iron Bank lost $36 million in another flash loan attack. After that event, Cream Finance was hacked again in August, when an exploit caused losses of $29 million.
What do you think about Cream Finance’s last exploit and the strange circumstances that surround it? Tell us in the comments section below.