The DeFi realm experienced yet another blow, as Cream Finance suffered its third flash loan exploit in 2021. Attackers managed to steal a total of $130 million, exploiting the lending markets on Ethereum C.R.E.A.M v1 and manipulating the price of yUSD.
Furthermore, the team at Cream Finance announced that it was a subject to the attack on October 27, but as of press time, no post mortem analysis on the situation has been published. However, Cream Finance noted that they are working on the subject.
“With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we've paused our v1 lending markets on Ethereum and we're in the process of putting together a post-mortem review.” Cream Finance tweeted.
However, the attack might have been more severe since some developers pointed out that the attacker had left messages, saying that Aave and Iron Bank were “lucky”, while Cream was not so lucky.
Meanwhile, blockchain security company BlockSec performed an initial analysis of the attack. The report highlights the mechanisms behind the attack and the lending market's yUSD price manipulation.
As of press time, the attacker does not seem to have been identified.
This is not Cream Finance’s first attack, as the lending protocol suffered from a $19 million flash loan attack in late August 2021, and a February 2021 attack, which resulted in $37.5 million stolen from the platform.
Such an attack brings back the security issues DeFi protocols are experiencing due to the popularity of DeFi platforms and the complexity of their design. A report from cryptocurrency intelligence firm CipherTrade highlighted that the DeFi market saw a record loss from attacks in 2021, totaling approximately $474 million between January and July 2021.