DeFi Protocols Cream Finance and Alpha Finance were exploited for roughly $37.5 million after taking out a flash-loan. The attacker executed a multi-step process including a series of flash loans. They’ve started distributing the funds to various addresses. Cream Finance through their official accounts revealed that they suffered a “potential exploit” and are investigating the attack.
We are aware of a potential exploit and are looking into this. Thank you for your support as we investigate.
— Cream Finance 🍦 (@CreamdotFinance) February 13, 2021
This attacker used multiple transactions to break-in Alpha Finance’s vaults and tricked people to believe that Cream’s Iron Bank was affected. Alpha Finance also posted its own announcement, mentioning that its Alpha Homora V2 product was the root cause of this attack. As soon as they found out about this attack, they confirmed working with DeFi guru Andre Cronje and Cream Finance to further examine the incident, and fix the loophole.
Dear Alpha community, our partners, and DeFi users, we'd like to share a post mortem on the recent Alpha Homora V2 exploit.
We’d like to sincerely thank everyone who has helped us, both on the technical and non-technical sides.
— Alpha Finance Lab (@AlphaFinanceLab) February 13, 2021
At the press time, Cream officially stated that its contracts and loan markets are functioning normally, and both V1 and V2 versions have been activated again.
The research analyst at The block shared his findings on twitter soon after the incident. He analyzed the process of the exploitation of about $3,750 in funds from IronBank, a zero-collateralized loan introduced by Cream Finance.
IronBank ($CREAM) was exploited on $37.5M, let’s take a quick look at what happened.👇
1/ Attacker used Alpha Homora for borrowing sUSD from IronBank.
Each time they borrow twice as much as in the previous one.
— Igor Igamberdiev (@FrankResearcher) February 13, 2021
Per Frank researcher, the attacker borrowed sUSD from IronBank using Alpha Homora. The attacker was borrowing twice the debt issued previously by doing two transactions at a time, and every time they were lending funds back, they were receiving cySUSD. The attacker took a flash loan of $1.8M USDC from defi protocol Aave v2 and then used curve to swap USDC to sUSD. They further started lending funds to these sUSD to continue the process, and was receiving cySUSD. At last the attackers successfully acquired enough cySUSD using which they borrowed 13.2k WETH, 3.6M USDC, 5.6M USDT and 4.2M DAI.
Flash Loan Attacks Poses Major Threat to Defi
Flash loans have attracted considerable attention lately in the fast-growing DeFi sector. In a Flash loan scheme,users can borrow crypto without relinquishing any collateral as it is believed that the fund would be returned immediately. Flash Loan attacks can grab millions in one single transaction. It becomes easy for attackers as they no longer require to have any skin in the game and hence eliminates risk for attack. Many defi protocols have been targeted in the past few months.
Cobo co-founder, Shenyu posted on Weibo yesterday, mentioning that the rough and fast DeFi development method represented by AC (YFI founder Andre Cronje) lacks regression testing, and its drawbacks are beginning to appear. It is worth mentioning that hacker attacks have occurred in many projects in the Year ecosystem. These include Pickle, SushiSwap, Year and today’s Cream.