DeFi lending protocol CREAM Finance has been exploited for $130M, CREAM said in a tweet.
“We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available,” the CREAM Twitter account noted at 11:04 AM New York time.
The attack would be the third-largest in DeFi according to Rekt. It may be the latest example of hackers using flash loans (loans that are executed without the need of collateral as long as they’re paid back in one blockchain block) to exploit every last loophole they can find in the open source code across decentralized finance.
Security firm Peckshield tweeted a flash loan alert and then the breach was noted on Twitter by a researcher at The Block. It appears to have been a flash loan attack, which has been the main form these breaches have taken over the last two years, but there has been no post-mortem of the exploit so far.
Subsequently, Peckshield tweeted that the attacker had made a $117M gain on the exploit. According to data from the Defiant Terminal, CREAM v1 had $302M in it before the breach.
The attacker wrote a message in the transaction “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.” This appears to imply that CREAM’s Iron Bank is untouched. Iron Bank is a protocol-to-protocol lending platform and runs through Yearn Finance.
According to the CREAM app, there is hardly anything left inside the v1 vaults. The app shows a little under 1,000 USDT, roughly 8,000 USDC, 622 YCRV and 351 CREAM. The ETH, YFI, LINK and other notable tokens all show zero balances.
“They aren’t going to drain the CREAM pool when the token price is going to dump,” @brandonsnothome wrote in the CREAM Discord server.
The community is discussing shorting the CREAM token as a way of recovering some of the lost assets. The CREAM token was at $116.68 in morning trading New York time Wednesday, from $156.85 yesterday, or a 25% decline. It had fallen to as low as $108.15 earlier.
According to DeFiLlama, CREAM had $1.72B worth of assets on Oct. 26.
CREAM has had at least three other breaches. In the most recent, $23M was lost due to a reentrancy bug in late August.