Full Report
Cream is a decentralized lending protocol (just like a ton of things on the blockchain). In the Cryptocurrency space, an Automated Market Maker (AMM) is used for calculating the cost of an asset algorithmically instead of users calculating the price. This sounds great for usability. However, there are problems with this. What happens when the user has control over an insane amount of funds? When the creation of flash loans, a user can a large amount of funds for a very short amount of time (one transaction to be exact). If the algorithm does not take this type of control into consideration, then a malicious actor can use this to steal a lot of money. In the case of Cream, there is an issue in the price calculation of wrappable tokens. The price oracle for yUSD tokens calculates the value of the crYUSD value shares based upon the total supply of yUSDVault tokens. The cost yUSD balance / totalSupply yUSDVault. The attacker redeemed $500 million yUSD from the vault. Then, when they added 8 million into the vault that they owned. By dropping the amount of tokens in the vault to nearly zero, this doubled the perceived value of the shares owned by the attacker because of the algorithm used above to calculate the funds; it is based upon the percentage of funds in the vault. By taking out flash loans from AAVE and MakerDAO, the attacker made 130 million off of this. On twitter, Cream claims that if the attacker gives all of the money back they will pay a bounty cost of %10 the stolen funds. This seems ridiculous to me... here's an additional link from Immunefi that came out years later.
Analysis Summary
# Incident Report: CREAM Finance $130M Flash Loan Attack
## Executive Summary
In October 2021, the CREAM decentralized lending protocol suffered a major exploit resulting in over $130 million in losses. The attack leveraged a flash loan to manipulate the protocol's price oracle mechanism, specifically affecting the calculation of yUSD Vault token values, allowing the attacker to falsely inflate the value of their collateral and drain assets.
## Incident Details
- Discovery Date: October 2021 (Implied shortly after the event, as the article discusses the "hack in October 2021")
- Incident Date: October 2021
- Affected Organization: CREAM Finance
- Sector: Decentralized Finance (DeFi) / Lending Protocol
- Geography: N/A (Blockchain-based)
## Timeline of Events
### Initial Access
- Date/Time: October 2021
- Vector: Flash Loans and Price Manipulation
- Details: The attacker initiated transactions using two addresses, drawing funds via flash loans from AAVE and MakerDAO.
### Lateral Movement
- **Progression:** The attacker cycled borrowed funds (DAI from MakerDAO converted to yDAI, then yUSD) and ETH from AAVE to mint yUSDVault tokens via Yearn's yUSD strategy. These tokens were used as collateral on CREAM to mint crYUSD.
### Data Exfiltration/Impact
- **Action:** One attacker address sent approximately $500 million in yUSDVault tokens to the primary actor. This was repeated to accrue ~$1.5 billion in crYUSD and ~$500 million in yUSDVault tokens.
- **Exploitation:** The attacker redeemed $500 million in yUSDVault tokens, significantly reducing the total supply held in the vault to about $8 million. They then deposited their own $8 million in yUSD back into the vault.
- **Result:** Due to the flawed price oracle calculation (which relies on Total Value / Total Supply of shares), reducing the supply *while depositing* effectively doubled the perceived value of the attacker's $1.5 billion in crYUSD (from $1.5B to $3B).
- **Impact:** The attacker used the inflated collateral value to drain $130 million in available assets from CREAM.
### Detection & Response
- **Detection:** The exploit was detected when monitoring tools or the CREAM team noticed abnormal activity/withdrawals.
- **Response Actions:** Upon realizing the extent of the breach, CREAM became aware of the flaw related to price calculation errors when interacting with flash loans. The article notes a later public communication where CREAM offered a 10% bounty if all stolen funds were returned (which the analyst notes as a questionable response).
## Attack Methodology
- **Initial Access:** Gained necessary capital instantaneously via Flash Loans from MakerDAO and AAVE.
- **Persistence:** Not applicable in the context of a single-transaction flash loan exploit, which is typically resolved quickly.
- **Privilege Escalation:** N/A (No traditional network privileges involved).
- **Defense Evasion:** N/A (The mechanism relied on trusting the flawed on-chain price oracle calculation).
- **Credential Access:** N/A
- **Discovery:** N/A (Likely pre-planned based on knowledge of the oracle vulnerability).
- **Lateral Movement:** Cycling borrowed DeFi assets to acquire specific underlying tokens (yUSDVault) to use as collateral on CREAM.
- **Collection:** N/A (The goal was draining assets, not data collection).
- **Exfiltration:** Draining $130 million worth of assets from CREAM's active lending pool using the inflated collateral base.
- **Impact:** Financial drain of $130M.
## Impact Assessment
- **Financial:** Over $130 million stolen from CREAM Finance's reserves.
- **Data Breach:** None reported (No customer PII or sensitive data theft beyond smart contract interaction data).
- **Operational:** Significant loss of protocol liquidity and trust; the hack was the "third-largest DeFi hack to date" at the time.
- **Reputational:** Major damage to trust in CREAM Finance's security model; the incident highlights systemic risks in DeFi price oracles.
## Indicators of Compromise
- **Network indicators (defanged):** Transaction hashes showing large, simultaneous borrowing from AAVE and MakerDAO followed by massive deposits/withdrawals in the yUSDVault and CREAM contracts.
- **File indicators:** N/A
- **Behavioral indicators:** Single addresses accumulating massive volumes of collateral tokens ($1.5B crYUSD) and subsequently draining the lending pool in a short timeframe.
## Response Actions
- **Containment measures:** Actions were likely necessary on the protocol side (e.g., pausing lending/borrowing functions, though not explicitly stated in the source material regarding immediate steps).
- **Eradication steps:** Patching the specific logic flaw in the `PriceOracleProxy` to prevent reliance on share supply manipulation.
- **Recovery actions:** The article mentions a public offer to pay a 10% bounty if funds were returned, implying recovery efforts were focused on negotiation/return rather than simply freezing stolen assets (as is difficult on public blockchains).
## Lessons Learned
- **Security Flaw:** The core lesson is the danger of underestimating the interaction between flash loans and on-chain price oracles, especially when oracles calculate value based on internal supply/denominator metrics that can be externally manipulated.
- **Limitation Mitigation:** The impact was financially limited only because CREAM had only $130M available for lending; the attacker theoretically could have drained far more had the pool been larger.
## Recommendations
- **Robust Oracles:** Implement decentralized, time-weighted, or externally sourced price oracles (e.g., based on aggregated DEX prices) that are resilient to manipulation via single-transaction supply shock within the vault mechanism.
- **Flash Loan Consideration:** All smart contract logic must explicitly account for the potential use of flash loans as a capital injection vector during high-stakes operations like collateral valuation.