This was probably the third attack for Cream Finance as well as the third-largest in the history of the DeFi space.
The last time Cream Finance faced a similar flash loan attack was in August 2021 wherein it lost $25 million. Prior to that, hackers stole a staggering $37.5 million from the Cream Finance platform earlier in February. The Cream Finance team tweeted the same about the hack confirming the recent exploit. It noted:
“Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets.
With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review. We apologize to our users and community for this unfortunate incident and thank you for your support”.
Deconstructing the Details of the Hack
As per the blockchain records, a staggering $92 million were stolen from one address and $23 million moved to another. However, the funds have now been moved to different wallets. The exploit was highlighted by PeckShield noted that the funds stolen mostly have been in Cream LP tokens and other ERC-20 tokens.
The price of Cream Finance (CREMA) has tanked significantly following the news. As per data from CoinGecko, CREAM’s price is down 24% in the last 24-hours and is currently trading at $116. Due to multiple exploits, CREAM has failed to participate in the market rally.
As per the transaction details of the exploit, the hacker left an unusual message writing “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do”. Along with Cream Finance, the hacker was probably referring to DeFi lending platforms like Aave and Iron Bank.
As per the data from Rekt, the recent hack was the third-largest in the history of DeFi markets. This will bring the total amount of funds stolen in Defi to more than $500 million. Amid the rapidly emerging Defi ecosystem, flash loan attacks are getting more frequent.