Security News > 2021 > October > Yet again, Cream Finance skimmed by crooks: $130m in crypto assets stolen

Yet again, Cream Finance skimmed by crooks: $130m in crypto assets stolen
2021-10-28 19:59

Decentralized finance biz Cream Finance became further decentralized on Wednesday with the theft of $130m worth of crypto assets from its Ethereum lending protocol.

"Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC," the Taiwan-based biz said.

Rendered as an acronym, C.R.E.A.M. stands for Crypto Rules Everything Around Me, and as noted the last time this occurred - when $18.8m in tokens were stolen a mere two months ago - that's a claim that's difficult to reconcile with the repeated looting of company coffers.

Lest we forget, the upstart, which currently has a market capitalization of about $66m based on the number of CREAM tokens in circulation, reportedly lost $37m in February.

"The hack is made possible due to a price manipulation bug in CREAM price oracle," said PeckShield via Twitter, referring to the mechanism used to look up asset price information in a decentralized system.

"They then doubled the value of the shares atomically by donating yUSD to the yearn vault. This meant that their debt on Cream became $3bn against a $2bn collateral. They can now default and take home a sweet $1bn profit. Cream only had $130m assets available for lending, so the attacker was limited to $130m profits."


News URL

https://go.theregister.com/feed/www.theregister.com/2021/10/28/cream_ethereum_theft/