Decentralized finance (DeFi) money market and lending service C.R.E.A.M. Finance appears to have been the target of a devastating exploit Wednesday morning that drained over $260 million in funds, likely the second-largest exploit to date.
Cream’s official Twitter account acknowledged the attack in a Tweet:
Per DeFi Llama, the protocol has an additional $460 million in total value locked (TVL) across Binance Smart Chain, Polygon, Avalanche and Fantom. It is unclear if those funds are also at risk.
The funds appear to have been taken using a flash loan in a notably complex transaction that involved 68 different assets and cost over 9 ETH in gas. Of the $260 million lost, the attacker netted roughly $130 million in various cryptocurrencies, of which $40.6 million may be in illiquid crETH, a staked ETH derivative that may prove difficult for the attacker to sell.
The attacker is now working to “wash” the funds primarily using Ren’s Bitcoin bridge. As is often the case following exploits, individuals are now using Ethereum transactions to ask for donations.
A Cream representative did not respond to a request for comment by press time.
UPDATE (Oct. 27 16:07 UTC): Added TVL information, market size information, and new developments from attacker’s Ethereum address. Removed reference to Curve’s 3Pool as a mixer.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.