The Ethereum-based decentralised finance protocol Cream Finance was hacked yet again, losing $130 million in what has been its most significant exploit to date.
Groundhog day for Cream Finance
By now, hacks and exploits have become part and parcel of the cryptocurrency space. Some are comparatively minor, like the hacker stealing from 6,000 Coinbase accounts. Others are massive, like the $600 million hack earlier this year. Known as Poly Network hack, the attacker eventually returned all the funds and was offered a job for his efforts in exposing the network’s security flaws.
However, most of the time, hacks remain one-and-done, as protocols clean up their security act. Not so in the case of Cream Finance. Astonishingly, the DeFi protocol has been hacked for the third time in its history, losing $130 million worth of Ether in the process. It is the biggest hack in the protocol’s history after it had lost $36m and $29m in previous attacks, both happening in 2021. The attackers used a flash loan attack, in which the hacker borrows a large amount of money for a very short time in order to take advantage of a perceived security flaw and exploit an arbitrage opportunity. Essentially, using a big amount to temporarily move the oracle price of an asset. If the scheme works, the attacker is able to abscond with the funds, as in the case of Cream Finance. If not, they are only paying gas fees for the loan to be returned.
The Cream Finance team swiftly addressed the issue with the following statement: “With the help of friends from Yearn Finance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review.”
Can the stolen funds ever be retrieved?
As seen in the Poly Network case, not all hacks are created equal in the cryptocurrency space. While that hacker was able to reach an agreement with Poly Network and could almost be considered a white-hat hacker (someone who exposes security issues to alert the team to them), the Cream case seems a bit more complex. The perpetrator left the following cryptic message:
“gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.”
It seems doubtful that Cream will be able to retrieve the funds, although the protocol offered a 10% bounty to the hacker in case they decide to return the stolen money. During the last flash loan attack Cream suffered, it stated it would repay the funds via fees collected on the protocol to compensate affected users. Back then, Cream was aided by Lossless, a DeFi security project focused on recovering siphoned funds thanks to its extensive network in the hacker scene. While DeFi projects continue to use the help of experts and bug bounties to incentivise hackers to “do the right thing,” it seems that they will have to do more in the future to ensure the safety of customer funds.