Cream Finance’s Hack Hattrick Sends Price and TVL Crashing
Hacks in the decentralized finance (DeFi) sector aren’t anything new, and it isn’t any different for Cream Finance either.
For the third time this year, Cream Finance has been hacked for at least $130 million. This has resulted in the price of CREAM tanking more than 37% to nearly $97. As of writing, the $79.5 million market cap cryptocurrency has recovered some of the losses to be back at $104.5.
Additionally, the total value locked (TVL) on the multi-chain lending protocol has fallen to $1.33 bln from $1.72 bln, according to DeFi Llama.
The attack was a flash-loan on the lending market of Ethereum CREAM V1, which manipulated the price of yUSD.
“Technically, it's not price manipulation. yUSDVault actually doubled in value. The problem is that it happened atomically, so Cream couldn't liquidate accounts and prevent them from going under water. Cream should not have allowed assets that can change their value so quickly,” said SushiSwap developer Mudit Gupta.
He further noted that it “was a cleanly executed attack” which involved two people and a shared account. “Attackers are DeFi devs, not traditional security folks,” Gupta added.
Our initial analysis of the Cream Finance attack:https://t.co/TysI7fjyPU@Mudit__Gupta @bantg @CreamdotFinance pic.twitter.com/wScUvizBtX
— BlockSec (@BlockSecTeam) October 27, 2021
The attack first occurred on Oct. 27, and the team said they are investigating an exploit on C.R.E.A.M. v1 on Ethereum. Since then, liquidity has been removed.
“No other markets were impacted,” wrote the Cream team on Twitter. “We apologize to our users and community for this unfortunate incident and thank you for your support.”
With the help of the DeFi project Yearn Finance and others, the team of the Cream project identified the vulnerabilities and have patched them.
“In the meantime, we've paused our v1 lending markets on Ethereum,” it said.
Yearn products, and by extension Alchemix, are not affected by the Cream Finance attack.
Funds are safe.
— Alchemix (@AlchemixFi) October 28, 2021
Insurance protocol Nexus Mutual advised those who have active cover policies for Cream Finance to wait for a three-day period before filing their claims.
Back in August, Cream Finance suffered a $25 million hack, and then six months before that, in February, $37.5 million was stolen from the protocol.
According to a report from blockchain analytics firm CipherTrace, the DeFi market had a record loss of $474 million in the first seven months of this year.
Amidst the rapidly growing DeFi space and the resulting increase in hacks and attacks, the sector is attracting the scrutiny of regulators. Earlier this week, SEC Chair Gary Gensler said DeFi needs robust consumer protections.
“There’s a lot of lending going on. There’s a lot of trading going on. And without protections, I fear that it’s going to end poorly,” he said at the Yahoo Finance All Markets Summit earlier this week.