Cream Finance was hacked and approximately $117 million was stolen, marking the fifth attack this year
Author: Gu Yu
If there is any DeFi project that is most "favored" by hackers, it might be the DeFi lending project Cream Finance.
Around 21:56 Beijing time today, Cream Finance was once again attacked by a flash loan, with hackers stealing approximately $117 million in assets from its smart contracts, marking the fifth time this year that the project has been attacked.
According to Etherscan, the hacker transferred about 20 ETH to the address from Tornado.Cash around 21:17, and executed the attack at 21:56, subsequently obtaining over 50 assets including ETH, xSUSHI, PERP, wNXM, and renBTC from the Cream Finance deposit contract, and later sold assets such as OGN, FRAX, and OCEAN for ETH.
Currently, the Cream Finance website shows that the amount of borrowable assets on its Ethereum network is nearly depleted, with only about 360,000 CREAM and a few hundred dollars worth of other assets remaining. Meanwhile, the project's token price has rapidly dropped over 30%, hitting a low of $102.5.
At present, Cream Finance's official Twitter has responded to the incident, stating that they are investigating the vulnerability attack on CREAM v1 on Ethereum and will update progress at any time.
It is understood that Cream Finance is a decentralized lending protocol initiated by the Taiwanese community, focusing on mid-to-long tail assets, and joined the YFI ecosystem at the beginning of the year. It has now expanded to multiple blockchain networks including Ethereum, BSC, and Polygon. According to DefiLlama, Cream Finance currently has a total locked value of $1.53 billion, ranking sixth among decentralized lending protocols.
Previously, Cream Finance had already suffered at least four attacks from hackers, making this attack the one with the highest number of successful hacker attacks on a DeFi project.
On February 13 this year, hackers exploited a vulnerability in Alpha Homora V2 to borrow ETH, DAI, USDC, and other assets from Cream Finance's zero-collateral cross-protocol lending feature Iron Bank, resulting in a loss of approximately $38 million for the project. Subsequently, Alpha Finance stated that it would fully compensate for the assets.
On the 28th of the same month, the DeFi aggregation platform Furucombo suffered a severe vulnerability attack, affecting Cream Finance's reserve account. The Cream Finance team immediately revoked all approvals for external contracts but still lost $1.1 million.
On March 15, the Cream Finance domain was attacked by hackers, causing some users to see a request to input their mnemonic phrases on the website. The project’s official account quickly tweeted to remind users not to input their mnemonic phrases, stating that its smart contracts and user funds were still safe, and announced the recovery of domain ownership an hour later.
On August 30, Cream Finance encountered a flash loan attack due to a reentrancy vulnerability, with hackers profiting 420 million AMP, 1308 ETH, and a small amount of USDC and other stablecoin assets, with a total asset value exceeding $34 million.
Currently, Cream Finance has drawn criticism and ridicule from many in the crypto industry, with researcher @Dogetoshi from The Block tweeting, "The fact that people are still using CREAM is the reason we make money in this field."