Cream Finance Exploited in Flash Loan Attack Netting Over $100M

Decentralized finance (DeFi) money market and lending service C.R.E.A.M. Finance appears to have been the target of a devastating exploit Wednesday morning that drained over $260 million in funds, likely the second-largest exploit to date.

According to Cream’s native front end, most Ethereum-based pools are now empty with the exception of a $40 million $CREAM pool. As of Oct 23, the protocol’s Ethereum markets had $300 million worth of assets.

Cream’s official Twitter account acknowledged the attack in a Tweet:

Per DeFi Llama, the protocol has an additional $460 million in total value locked (TVL) across Binance Smart Chain, Polygon, Avalanche and Fantom. It is unclear if those funds are also at risk.

The funds appear to have been taken using a flash loan in a notably complex transaction that involved 68 different assets and cost over 9 ETH in gas. Of the $260 million lost, the attacker netted roughly $130 million in various cryptocurrencies, of which $40.6 million may be in illiquid crETH, a staked ETH derivative that may prove difficult for the attacker to sell.

The attacker is now working to “wash” the funds primarily using Ren’s Bitcoin bridge. As is often the case following exploits, individuals are now using Ethereum transactions to ask for donations.

A Cream representative did not respond to a request for comment by press time.

UPDATE (Oct. 27 16:07 UTC): Added TVL information, market size information, and new developments from attacker’s Ethereum address. Removed reference to Curve’s 3Pool as a mixer.