← Back to Hack Archive

Cream Finance Hack

October 27, 2021$130 millionFlash Loan Price ManipulationEthereum

The Story

On October 27, 2021, Cream Finance, a decentralized lending protocol, suffered its third and largest hack of the year. Attackers exploited a vulnerability in the platform's flash loan and price oracle system to drain approximately $130 million worth of tokens from its lending pools.

The attack was particularly devastating as it targeted the protocol's capital efficiency features, specifically the ability to use yUSD (yearn USD) as collateral. Through a series of complex transactions, the attacker was able to artificially inflate the value of their collateral and drain a variety of tokens including ETH, WBTC, and various ERC-20 assets.

This was the third major exploit of Cream Finance in 2021 alone, following a $37 million flash loan attack in February and a $18 million attack in August. The repeated successful exploits against the protocol highlighted the extreme challenges of securing DeFi platforms, especially those that integrate with multiple other protocols.

Technical Analysis

The Cream Finance hack was a highly sophisticated flash loan attack that manipulated asset prices and exploited how the protocol calculated collateral value. The attack was executed through these steps:

  1. The attacker took out a flash loan of 500 million DAI from MakerDAO
  2. They used this DAI to manipulate the price of yUSD on Curve Finance, where Cream's price oracle pulled its data
  3. With artificially inflated yUSD, they deposited it as collateral on Cream
  4. They borrowed a large amount of assets against this inflated collateral
  5. Instead of repaying the loans, they defaulted, leaving Cream Finance with bad debt

The key vulnerability was in how Cream Finance calculated the value of collateral and failed to implement proper price manipulation safeguards:

// Simplified representation of the vulnerable price oracle implementation
function getPriceForYearnTokens(address yToken) public view returns (uint256) {
    // Get the underlying token price from Curve pool
    uint256 curvePrice = getCurvePriceForToken(yToken);
    
    // Get the yToken virtual price (how much underlying it represents)
    uint256 virtualPrice = IYearnVault(yToken).pricePerShare();
    
    // Calculate final price by multiplying the two
    // Vulnerability: No safeguards against manipulated curve prices
    return curvePrice.mul(virtualPrice).div(1e18);
}

The attacker combined this price oracle vulnerability with Cream's permissive cross-token collateralization features to execute the attack.

Lessons Learned

  1. DeFi protocols should implement time-weighted average price (TWAP) oracles to prevent price manipulation
  2. Flash loan attack vectors should be tested during security audits with extreme amounts
  3. Risk parameters should be carefully calibrated for collateral assets, especially for synthetic or wrapped tokens
  4. Circuit breakers should limit the amount of assets that can be borrowed in a short time period
  5. Integration with external protocols introduces additional attack surfaces that must be carefully assessed