Cream Finance Offers the Attacker 10% of Stolen Fund as Bug Bounty on Return of Funds


In its post mortem of the third hack of this year, this time of $130 million, Cream Finance shared that they are working with the authorities to trace the attacker.

In the hack, only the Ethereum v1 markets were impacted, and all the other v1 markets and the Iron Bank were safe, it added. The vulnerability has now also been patched.

As for what happened, the decentralized finance (DeFi) project Cream Finance noted that it was a mix of economic and oracle exploits.

The attacker flash borrowed DAI from lending protocol MakerDAO to create a large amount of yUSD tokens while simultaneously exploiting the price oracle calculation for yUSD price through the manipulation of the multi-asset liquidity pool that contained yDAI, yUSDC,yUSDT, and yTUSD on which the price oracle relied — all in a single transaction.

By increasing the increasing yUSD price per share, the attacker’s yUSD position was artificially increased, creating sufficient borrow limit to remove the vast majority of the liquidity from C.R.E.A.M. Ethereum v1 markets, explained the team.

In response, all the interactions with Cream’s Ethereum v1 markets have been suspended, and crTokens on them locked making them non-transferable.

“The key vulnerability lies in the price calculation of a wrappable token. We have stopped all supply/borrow of wrappable tokens, including all PancakeSwap LP tokens,” said the team.

The Yearn Finance team meanwhile successfully salvaged 9.42 mln which the attacker donated to the yUSD vault as part of the attack. The funds will soon be returned to the Cream multisig.

The team is currently working on a plan to restore funds lost, starting with a partial payment, which the details will be shared in the coming days.

Cream Finance also announced a bug bounty under which the attacker is encouraged to reach out to the team and return users’ funds in exchange for keeping 10% of the funds.

“They are impacting everyday users of DeFi, and we would like them to do the right thing,” said Cream Finance.

As a result of the attack, the total value locked (TVL) in the project had dropped by $370 million to $1.32 bln last week but hasn’t recovered as the TVL currently sits at $1.44 bln.

Much like the funds, the price of the CREAM token hasn’t pared its losses either. Currently trading at $101.11, the price is near the $98.41 low it dropped to last week and is down 73% from its all-time high of $374 hit in February.

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide