Unfortunately, in the cryptocurrency space, hacks are all too common. Although many blockchains boast top-notch security that is audited regularly, this is often far from the truth. The latest in a string of DEFI hacks in 2021 happened in October on a DEFI platform called CREAM Finance.
In October 2021, hackers took advantage of a price calculation error, and weaknesses in the CREAM Finance system in order to steal hundreds of millions of dollars. But this was no simple hack, and the attacker may find it difficult to spend these funds.
To learn more about what vulnerabilities led to this hack being possible, keep reading to learn more about CREAM Finance, and the hack that may signal the end to this platform.
What is CREAM Finance?
CREAM Finance is one of many large platforms in the DEFI space which allows users to borrow and loan cryptocurrency to each other through a complicated minting and burning process. The platform is open-source and permissionless, meaning there is no company overseeing the transactions, and everything is executed via software.
Users can lend and borrow several different cryptocurrencies on the platform including Ethereum and a variety of stablecoins like USDT and USDC. If users do decide to yield farm or stake their local cryptocurrency CREAM, the assets are tied up for a period of four years and only after that time passes can they get their rewards. CREAM Finance does not offer an admin unlock like many other platforms do allowing for cash out at earlier times. However, if you use their platform for trading other assets (like the aforementioned stablecoins) there are other cash out periods that don’t require as long of a commitment.
CREAM, the native cryptocurrency, has a total supply of 9 million coins, but only about 150,000 are currently in circulation. Additional coins will be released at future dates as rewards for staking the blockchain. As of January 2021, the CREAM blockchain is not audited, as the creators of the blockchain chose to have advisors as they corrected security themselves, rather than hiring a team to do the job for them.
Who Invented Cream?
CREAM was invented by Taiwanese entrepreneur Jeffery Huang, who considers himself a dictator of the company. This isn’t his first project, as he also is the founder of another blockchain project known as Mithril (MITH) which is a social media platform based on Ethereum. Huang works closely with Compound founder Robert Leshner, and the two of them handle much of the coding and security aspects of the company themselves.
Of the 9 million CREAM tokens that will eventually be in circulation, Huang has reserved 10% of these for himself and his team of advisors.
The CREAM Hack
On October 27th, 2021, a hacker took possession of millions of dollars of crypto funds stored on the CREAM blockchain using a complicated flash loan process and two different wallet addresses. The two accounts began the attack by taking out flash from two different DEFI platforms, MakerDAO and Aave. These currencies were then deposited on a different blockchain platform known as Curve, and were used to mint a stablecoin known as yUSD. Additional ETH was used to borrow more yUSD on the Aave platform.
Next, the hacker took all of this yUSD they had minted and purchased and headed over to another platform known as Yearn. Here, they used a complicated dapp to convert their yUSD tokens to yUSDVault tokens, through a simple deposit. Once this was done, the funds were sent from the one wallet address to the other. This lead to about $500 million USD being available on one of the wallet addresses.
These yUSDVault tokens can be used as collateral on the CREAM platform to mint a cryptocurrency known as crYUSD. The hacker did just this, collecting all of the funds he was minting into his wallet addresses. He supposedly amassed over $1.5 billion in crYUSD. Taking advantage of a weakness in the PriceOracleProxy that CREAM uses to value yUSDVault tokens, the hacker was able to double the value of his $1.5 billion in crYUSD, he then put this up for collateral on several CREAM loans, walking away with $130 million in available assets that will never be repaid.
This entire hack cost a paltry 9 ETH (about $36,000) and left the hacker with funds in crETH that can’t be spent. But by using another protocol called Ren’s Bitcoin bridge, he is working to “wash” the funds to be able to spend them. Whether this will be successful or not is unclear.
The Lesson to Learn from the CREAM Hack
This hack was no easy feat. Clearly the hacker is a cryptocurrency genius who knew a roundabout way to make money out of thin air to take advantage of a calculation error. Clearly this is an error on the part of CREAM Finance for not looking more closely at their protocols, as they missed a large bug in the system that this hacker took advantage of.
This is a lesson to many people who are looking to get involved in the cryptocurrency world. Although DEFI is a blessing (all that banking without KYC and AML) it can also be a curse if you get involved in a company that doesn’t practice proper security practices like CREAM. One of the things that is suspicious about this situation is that Huang has specifically said his blockchain as not audited, but rather checked over by a team of advisors. This makes you wonder if perhaps one of the advisors had something to do with this hack, as it was a very specific and complicated hack that would have been easier with inside knowledge.
Whether or not you think this was an inside attack, you should always be very careful when getting involved in the DEFI world, as hacks like there are all too common. And one of the major downsides of cryptocurrency is that there is no way to impose oversight to stop an attack like this without making it centralized. Rather, the proper security procedures need to be in the place to begin with—because there is no going back.