Cream Finance Exploited in Flash Loan Attack Netting Over $100M
An attacker has gained over $130 million of assets in an exploit that appears to have drained Cream’s coffers.
Decentralized finance (DeFi) money market and lending service C.R.E.A.M. Finance appears to have been the target of a devastating exploit Wednesday morning that drained over $260 million in funds, likely the second-largest exploit to date.
Cream’s official Twitter account acknowledged the attack in a Tweet:
Per DeFi Llama, the protocol has an additional $460 million in total value locked (TVL) across Binance Smart Chain, Polygon, Avalanche and Fantom. It is unclear if those funds are also at risk.
The funds appear to have been taken using a flash loan in a notably complex transaction that involved 68 different assets and cost over 9 ETH in gas. Of the $260 million lost, the attacker netted roughly $130 million in various cryptocurrencies, of which $40.6 million may be in illiquid crETH, a staked ETH derivative that may prove difficult for the attacker to sell.
The attacker is now working to “wash” the funds primarily using Ren’s Bitcoin bridge. As is often the case following exploits, individuals are now using Ethereum transactions to ask for donations.
A Cream representative did not respond to a request for comment by press time.
UPDATE (Oct. 27 16:07 UTC): Added TVL information, market size information, and new developments from attacker’s Ethereum address. Removed reference to Curve’s 3Pool as a mixer.