Ethereum DeFi Protocol Cream Finance Loses $130M In A Hacking Attack
The Cream Finance team announced on Twitter a hacking incident where over $130 million worth of tokens were taken.
Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address: https://t.co/17sPIDpCmr No other markets were impacted.
“With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them. In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review.
We apologize to our users and community for this unfortunate incident and thank you for your support.”
We apologize to our users and community for this unfortunate incident and thank you for your support.
Blockchain records show that $92 million was stolen into one address and $23 million into another, also other funds were taken. The funds are now being moved around to different wallets.
Majority of the funds stolen were in Cream LP tokens and other ERC-20 tokens. Users receive Cream LP when they deposit funds into the Cream pools.
Since the news of the exploit, the price of cream (CREAM) dropped from $152 down to $102 where it currently sits according to CoinGecko.
According to the exploit transaction, the hacker left a somewhat unusual message:
“gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.”
The message seems to be referring to DeFi lending platforms Aave and Iron Bank, and Cream Finance.
Cream Finance is a decentralized lending protocol built on the Ethereum blockchain. The protocol has notably suffered multiple flash loan attacks in its history, losing $37.5 million in February and then another $18.8 million in August.
Today’s hack is the third largest DeFi hack in history, according to Rekt’s leaderboard. In the cases of the first two largest hacks, the funds were returned.
The current total amount of funds stolen in DeFi attacks is now over $500 million.
