Hack Track: Analysis of C.R.E.A.M. Finance Hack
Merkle Science
On October 27, 2021, C.R.E.A.M. Finance lending markets were exploited. The attacker stole over $136 million worth of crypto assets from the C.R.E.A.M. v1 lending markets. The majority of the crypto assets stolen are reportedly ERC-20 coins and C.R.E.A.M. Liquidity Protocol tokens.
C.R.E.A.M. Finance, a decentralized lending and borrowing protocol that runs on Ethereum blockchain, suffered three attacks this year. The C.R.E.A.M. Finance heist also marks the second-largest cryptocurrency hack this year after decentralized finance (DeFi) platform Poly Network lost $600 million in August. The attack happened amidst a rapid increase in hacking incidents suffered by DeFi platforms. Hacks in the DeFi ecosystem accounted for nearly 76% of all major hacks worldwide in 2021 so far, according to a report by security firm AtlasVPN. Further, as per a report by DeFi Pulse, a total of $361 million has been lost in DeFi hacks compared to $129 million last year.
With an increase in DeFi related attacks, regulatory scrutiny around DeFi is also increasing. Chairman of the U.S. Securities and Exchange Commission (SEC), Gary Gensler, in an interview discussed the possibility of bringing DeFi under the purview of the SEC, stating that “these peer-to-peer networks, so far completely unregulated in the U.S., may not be immune from oversight. Some decentralized finance projects have features that make them look like the types of entities the SEC oversees.” Further, in his speech at the Aspen Security Forum Gensler also requested greater support and resources from Congress, highlighting that legislative priority should center on crypto transactions, crypto trading, and DeFi platforms as regulators try to pave the way for crypto to exist in a regulated, consumer-protected way.
C.R.E.A.M. Finance Hacked For the Third Time This Year
In this year alone, this is the third time that C.R.E.A.M. Finance has suffered an exploit. On February 13, 2021, Alpha Homora, a leverage liquidity protocol, fell victim to a flash loan attack. The attackers stole $37 million from Alpha Homora by exploiting C.R.E.A.M. Finance’s Iron Bank Service, which gives out uncollateralized loans to smart contracts. Since Alpha Homora V2 was integrated with C.R.E.A.M Finance’s Iron Bank only for protocol-to-protocol lending, the debt was only created between the two protocols, not the users.
On August 3, 2021, C.R.E.A.M. Finance suffered a reentrancy attack, wherein a bug was placed in the smart contract that allows an attacker to withdraw funds repeatedly in a loop before the original transaction is approved or declined or the funds need to be returned. According to the C.R.E.A.M. Finance Post Mortem AMP Exploit, the exploit took place through two transactions - one main exploit and the other a smaller copycat. The main exploit was executed in just one transaction “by way of reentrancy on the AMP token contract.” The hacker used a reentrancy attack in C.R.E.A.M. Finance’s “flash loan” feature to steal 462,079,976 in AMP tokens and 2,804.96 in ETH coins. The root cause of the exploit is the erroneous integration of AMP into the C.R.E.A.M Finance protocol.
C.R.E.A.M. Finance’s lack of focus on security has been the subject of criticism. Users are dissatisfied with C.R.E.A.M Finance’s track record when it comes to safeguarding user funds.
What Happened?
In the latest exploit, the attackers found a vulnerability in the platform’s lending system and exploited it to steal C.R.E.A.M. Finance’s assets and tokens. According to C.R.E.A.M. Finance’s Post Mortem report, there were two addresses involved in the attack.
Mudit Gupta, a core blockchain developer and security researcher at SushiSwap broke down the attacker’s in the following steps.
Address A (0x961d2b694d9097f35cfffa363ef98823928a330d):
The attacker first borrowed $500 million DAI from MakerDao. Subsequently, the attacker deposited $500 million DAI into the yDAI yearn vault and earned 500 yDAI in return. Yearn vaults are essentially pools of user funds managed by automated combinations of yield farming strategies. They enable users to maximize their gains. In this scenario, users themselves don’t have to select or switch between various yield farming strategies by themselves. When a user deposits funds, say DAI, he receives yDAI, which represents a share of his funds in the vault.
Then the attackers deposited $500 million yDAI into yUSD curve pool to attain yUSD, the attacker then deposited the $500 million yUSD into yUSD yearn vault – yUSDVault. Curve pool is an automated market maker that allows users to swap stablecoins at low fees and slippage. For example, yUSDVault consists of four stablecoins — yDAI, yUSDT, yTUSD, and yUSDC.
The yUSDVault held $11 million before the deposit. Once the attacker deposited $500 million yUSD, the balance in the yUSDVault amounted to $511 million. Finally the attacker supplied yUSDVault into C.R.E.A.M. to obtain $500 million cryUSD in return. The account balance in A, now, is $500 million cryUSD.
Address B (0xf701426b8126bc60530574cecdcb365d47973284):
Firstly, the attacker borrowed $2 billion Ethereum using a flash loan. He then deposited $ 2 billion ETH into C.R.E.A.M. to get $2 billion cEther as collateral. The attacker again borrowed a $500 million yUSDvault by using $2 billion cEther as collateral. The collateral left now = 1.5 billion cEther.
The attacker then borrowed $500 million yUSDVault to mint $500 million cryUSD. He then transferred this cryUSD to Wallet A. Account A now has 1 billion CryUSD.Again, Borrow $500m yUSDVault by using the initial $2bETH collateral.Mint $500m cryUSD by depositing the $500m yUSDVault back in C.R.E.A.M. The collateral left is $1 billion now.
The attacker then transferred this minted $500m cryUSD into Account A. Account A now has a balance of $1.5b cryUSD. Subsequently, the attacker borrowed $500m yUSDVault. The collateral left is $500 million. The attacker then transferred this $500m yUSDVault into Account A.
DefiDollar was holding $3million of yUSDVault as collateral against DUSD. Using Account A, the attacker bought $3m DUSD from Curve. DeFidollar is a multichain DeFi protocol lab that provides a stablecoin index-backed asset — DefiDollar -- with the aim to reduce volatility induced risk. The attacker burned the $3m DUSD bought from Curve for the underlying yUSDVault collateral.
Account A balance becomes $500 million yUSDVault and 1.5 billion cryUSD. Whereas, Account B has a debt of $1.5 billion cryUSD against $2 billion of ETH collateral. In the next step, the attacker transfers 8 million yUSD to the yUSD vault. The yUSD balance becomes $16 million while the total supply remains $8 million. Therefore, the price of every yUSDVault share becomes $2.
Since yUSDVault is now worth double, C.R.E.A.M. now thinks that the account A cryUSD is now worth $3b instead of the original $1.5b. Additionally, Account B’s debt is now $3 billion against collateral of just $2 billion. In the final step, the attacker used $ 3 billion of cryUSD collateral in Account A to borrow $2 billion ETH, Account A now has $2b ETH, $500m yUSD and $1 billion in C.R.E.A.M. collateral. Finally the attacker uses ETH and yUSD to pay back the flash loans and utilize the remaining $1 billion collateral to borrow around $136 million left in C.R.E.A.M.
Remedial Actions Taken by C.R.E.A.M. Finance
To begin with C.R.E.A.M. Finance suspended all interactions with Ethereum v1 markets and locked crTokens on C.R.E.A.M. Ethereum v1 markets, therefore, more crTokens could not be transferred. Recognizing that the key vulnerabilities lie in the price calculation of wrappable tokens. C.R.E.A.M. Finance stopped all supply/borrowing of wrappable tokens, including all PancakeSwap LP tokens.
Wrapped tokens are those tokens whose value is tied to that of an underlying cryptocurrency. Further, C.R.E.A.M. Finance encouraged the attacker to reach out and began a dialogue for the return of users’ funds. Further, they also promised to honor a bug bounty of 10% upon return of funds.
Yearn.Finance successfully salvaged $9.42 million the attacker “donated” to the yUSD vault to manipulate the price per share as part of the attack and is in the process of returning funds to the C.R.E.A.M. Multisig.
Merkle Science’s On-Chain Analysis
As per Merkle Science’s analysis, the hack took place on October 28, 2021, and the total value of assets stolen was over $136 million. According to Merkle Science’s analysis, the attacker’s address from which the hack was initiated was 0x24354d31bc9d90f62fe5f2454709c32049cf866b. This is the address that received all the stolen funds after the hack. This amount was then split between two address 0x921760e71fb58dcc8DE902cE81453E9e3D7fe253 and 0x70747df6AC244979A2ae9CA1e1A82899d02bbea4.
The following tokens and their respective amounts have been listed below for reference.
| Token Name | Token Value | USD Price | Token Value USD |
| Ether | 2,760.22 | $4,152.57 | $41,451,415.95 |
| FEI | 3,817,374.50 | $1.00 | $11,462,007.56 |
| DPI | 15,567.58 | $355.48 | $8,482,951.78 |
| BUSD | 510,018.97 | $1.00 | $8,109,199.33 |
| USDC | 1,690,395.70 | $1.00 | $7,636,531.34 |
| USDT | 3,780,808.76 | $1.00 | $5,533,924.98 |
| HBTC | 20.08 | $60,603.80 | $5,256,796.16 |
| WBTC | 32.73 | $60,603.80 | $4,162,514.11 |
| bBADGER | 48,361.42 | $35.61 | $3,817,374.50 |
| renBTC | 23.26 | $60,279.93 | $3,780,808.76 |
| OCEAN | 1,272,378.57 | $0.93 | $3,103,966.83 |
| OGN | 1,067,935.59 | $0.88 | $2,856,501.72 |
| FRAX | 782,197.34 | $1.00 | $2,449,223.86 |
| AAVE | 2,190.16 | $329.16 | $2,090,847.54 |
| UST | 803,779.11 | $1.00 | $1,983,503.41 |
| YFI | 35.07 | $37,544.01 | $1,919,269.40 |
| BAL | 27,962.14 | $24.51 | $1,722,314.49 |
| COMP | 275.1 | $342.57 | $1,690,395.70 |
| yDAl+yUSDC+yUSDFITUSD | 166,322.91 | $1.00 | $1,402,155.38 |
| LINK | 11,790.56 | $32.45 | $1,327,568.87 |
| CRV | 165,940.54 | $4.61 | $1,325,841.97 |
| MTA | 283,272.63 | $0.97 | $1,316,700.36 |
| SUSHI | 116,602.96 | $11.39 | $1,217,081.84 |
| FTX | 38,922.15 | $62.93 | $1,178,742.41 |
| SRM | 109,383.94 | $7.63 | $937,404.61 |
| UNI | 156,629.16 | $26.58 | $834,170.69 |
| wNXM | 135,402.94 | $59.89 | $803,779.11 |
| CEL | 54,380.22 | $4.87 | $782,197.34 |
| BOND | 899.86 | $28.67 | $765,601.16 |
| KP3R | 871.6 | $383.96 | $721,689.67 |
| HFIL | 4,914.34 | $62.45 | $720,921.12 |
| CRETH2 | 12,266.46 | $3,379.25 | $685,226.96 |
| DAI | 1,325,841.97 | $1.00 | $510,018.97 |
| HEGIC | 538,952.21 | $0.14 | $495,000.38 |
| ESD | 2,821,793.10 | $0.03 | $485,808.79 |
| 1INCH | 64,359.29 | $3.95 | $431,257.71 |
| OMG | 7,815.94 | $14.17 | $382,623.63 |
| xSUSHI | 623,760.53 | $13.60 | $334,657.28 |
| SLP | 611.57 | $0.07 | $306,911.19 |
| SLP | 3,085.26 | $0.07 | $297,730.75 |
| SLP | 16.6 | $0.07 | $273,620.81 |
| PICKLE | 76.07 | $9.68 | $264,608.39 |
| AKRO | 3,203,107.70 | $0.04 | $254,128.23 |
| ALPHA | 194,020.72 | $1.10 | $213,422.95 |
| FTM | 137,235.69 | $3.14 | $166,322.91 |
| RUNE | 418,917.29 | $12.55 | $117,434.56 |
| PERP | 447,222.59 | $17.08 | $110,788.82 |
| yvCurve-lronBank | 480,582.89 | $1.03 | $94,240.96 |
| yvCurve-stETH | 747.48 | $4,152.57 | $86,450.33 |
| ARMOR | 1,515,737.12 | $0.20 | $84,841.04 |
| VSP | 488.51 | $6.69 | $77,338.17 |
| vVSP | 46,893.19 | $10.36 | $70,854.23 |
| GNO | 6,937.02 | $411.78 | $58,538.71 |
| SWAP | 79,792.24 | $1.08 | $53,983.79 |
| WOO | 578,182.81 | $1.25 | $25,798.56 |
| BNT | 12,804.66 | $4.22 | $3,266.82 |
| EURT | 1,656,508.17 | $1.16 | $2,576.60 |
| ibBTC | 0.98 | $59,674.65 | $735.95 |
| YGG | 341,681.58 | $6.12 | $216.39 |
| SAND | 3,103.00 | $0.83 | $42.89 |
| MANA | 86,956.33 | $0.81 | $1.16 |
| Total | $136,731,849.88 | ||