In October 2021, CREAM Finance was hacked in the third-largest DeFi hack to date with losses of over $130 million.  The attacker used a flash loan attack to exploit vulnerabilities within the protocol.

Inside the Attack

The attack on CREAM was performed by two different addresses interacting with CREAM’s yUSDVault.  The goal of the attack was to mint a large number of crYUSD tokens and then exploit a vulnerability in the vault to double the perceived value of these shares.

The two accounts in the attack took out flash loans from MakerDAO and AAVE.  The DAI from MakerDAO was deposited into Curve’s yPool for yDAI, which was used to mint yUSD.  The ETH from AAVE was used as collateral to borrow more yUSD.

All of this created yUSD was deposited into Yearn’s yUSD strategy to create yUSDVault tokens, which were used as collateral on CREAM to mint crYUSD.  The second address then sent ~$500 million in yUSDVault tokens to the first address.

By repeating this process multiple times, the first address accrued ~$1.5 billion in crYUSD and ~$500 million in yUSDVault.  The attacker then redeemed the ~$500 million yUSDVault for yUSD, decreasing the total supply of yUSDVault tokens in the vault to ~$8 million.  The attacker then deposited about ~$8 million in yUSD into the vault, doubling its overall value.

CREAM’s PriceOracleProxy for yUSDVault tokens calculates the value of these tokens as the total value of the vault over the total supply of yUSDVault tokens.  By dropping the total supply of yUSDVault to ~$8 million and depositing ~$8 million in yUSD into the vault, the attacker essentially doubled the perceived value of yUSDVault shares (crYUSD).

The first attacker address held $1.5 billion in crYUSD, which is now valued at $3 billion by the vault.  $2 billion of this and the ~$500 million withdrawn earlier paid off the attacker’s flash loans.  The remaining $1 billion in crYUSD provided the attacker with ample collateral to drain CREAM’s $130 million in available assets.

Lessons Learned From the Attack

The CREAM hack is one of many in which attackers exploited price calculation errors via flash loan attacks.  In this case, the impact of the attack was largely limited by the amount of value that CREAM had available for lending.  The attacker’s ~$1 billion in available collateral could have been used to borrow and default on far more than the $130 million that CREAM had available for lending.

Rob Behnke