Cream Finance Offers a Bug Bounty of 10% To the Attacker.

Cream Finance Offers a Bug Bounty of 10% To the Attacker.
Image Source: Twitter (CreamdotFinance)
Read News

Read News For Me

On October 27th 2021, Cream finance’s Ethereum v1 lending markets were exploited, and the attacker has already removed nearly $130 million U.S. Dollar worth token from the Ethereum v1 Market of Cream Finance. Keeping this in mind, the team has started to work on the repayment of the lost funds, and the details will be announced soon this week.

Notably, Cream Finance is the lending protocol for individuals and institutions for accessing financial services and is completely decentralized. It is a part of Yearn Finance and serves the Binance Smart Chain, Fantom, Ethereum and Polygon users. With C.R.E.A.M., users can earn passive yields by depositing their ETH and wBTC.

The attack included oracle and economic exploits.

The attacker borrowed DAI from MakerDAO, created a more considerable amount of yUSD tokens, and exploited the price oracle calculation for the price of yUSD simultaneously. The price per share for yUSD was increased. Hence, the yUSD position of the attacker has increased artificially, which created a sufficient borrow limit for removing liquidity from C.R.E.A.M. Ethereum v1 markets.

Keeping in view the attack, all the interactions with Ethereum v1 markets were suspended by Cream Finance, and the crTokens were also locked. Note that the attacker donated $9.42 million to the yUSD vault for manipulating the price per share, and those funds were successfully rescued by Yearn Finance and returned to C.R.E.AM Multisig. 

Let's discuss the attack in a bit more detail.

Two addresses, namely address A and B, were involved in the attack. The attacker flash borrowed $500 million DAI in address A and deposited it in the Yearn vault and Curve for yUSD. The yUSD were used to get crYUSD. While $2 Billion ETH were flash borrowed by Address B and were added as collateral.

Address B then transferred all the csYUSD to address A, and the transfer was allowed due to collateralized ETH position. Address A then converted yUSD to yCRV and left $8M yUSD in yCrv. This $8 Million yCrv were transferred to the yUSD contract that led to the increase in pricePerShare. Hence, $2 Billion ETH were borrowed by Address A from Ethereum v1 in order to pay back the debt from Address B.

For encouraging the attacker to begin a dialogue to return the users’ funds, cream Finance has announced a Bug Bounty of 10% if the attacker is willing to return the funds. The team is ready to do the needful to help its users recover the lost funds.