Yesterday, Cream Finance, for the third time, was the victim of yet another merciless hack. In fact, the stolen funds amount to about $130 million, thus taking second place in the ranking of hacks in the world of cryptocurrencies.
Cream Finance is a decentralized lending platform built on the Ethereum blockchain.
The latest hack against Cream Finance
The incident it suffered yesterday was detected by blockchain security company Peckshield and slowMist and was later confirmed by Cream’s own team.
Our initial analysis of the Cream Finance attack:https://t.co/TysI7fjyPU@Mudit__Gupta @bantg @CreamdotFinance pic.twitter.com/wScUvizBtX
— BlockSec (@BlockSecTeam) October 27, 2021
The attackers are believed to have found a vulnerability in the platform’s lending system and used it to their advantage. According to blockchain logs, the stolen funds were mostly in Cream LP tokens and ERC20 tokens.
A few hours after the attack, Cream Finance reassured that the bug had been fixed with the help of the Yearn platform.
However, this did not prevent the price of the CREAM token from plummeting from $152 to $111 in a matter of minutes. A drop of 27% according to CoinGecko.
The hacker also seems to have left an unusual message. It has in fact written:
“gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.”
Was he referring to the other lending platforms DeFi, Aave and Iron Bank?
DeFi under attack
As mentioned, this is the third hack in 2021 for Cream Finance. The company lost $37 million in February and another $29 million in August.
All the attacks were flash loan exploits, which is also the most common way through which most DeFi platforms have been hacked in the last two years.
CipherTrace in an August report stated:
“DeFi related hacks have accounted for 76% of all major hacks in 2021, and users have lost more than $474 million to attacks on DeFi platforms this year”.
The vulnerability of smart contracts thus remains one of the main problems in the cryptocurrency world and one of the main reasons why this world is still in the hands of a relatively small circle of people.