The price of C.R.E.A.M., the token that powers an eponymous decentralized finance lending protocol, today crashed from $288 to $193 in just one hour following an apparent flash loan exploit that drained $37 million from the protocol. C.R.E.A.M.’s price is now $223.
No official confirmation of the attack has been given by Cream Finance, but the team tweeted to announce their awareness of a ‘potential exploit.’ More than two hours later, fellow DeFi protocol Alpha Finance announced it had also been the victim of an ‘exploit.’
In an analysis of the attack, The Block’s crypto researcher, Igor Igamberdiev, concluded that experienced DeFi hackers hauled over $37.5 million in a complex and multi-step attack involving flash loans—instant crypto loans. The attackers took out crypto loans from lending protocols and then and then invested them into CREAM’s lending platform, Iron Bank. Iron Bank had been recently upgraded to enable collateral-free borrowing from Alpha Finance, and the exploiter received special derivatives tokens called cySUSD.
A Flash Loan Con
The exploiter took out enough loans that they got a tremendous amount of cySUSD tokens, which they could use to “borrow anything from IronBank,” tweeted Igamberdiev.
So the exploiter borrowed 13,244 ETH ($23.8 million), $3.6 million in US dollar stablecoin USDC, $5.6 million in US dollar stablecoin USDT and $4.2 million in a decentralized US dollar stablecoin, DAI. That amounts to about $37 million.
According to the blockchain trail, 1000 ETH ($1.8 million) was refunded to both Alpha’s protocol and Cream Finance, and another 320 ETH ($577,238) sent to Tornado, a privacy tool for Ethereum, and more yet to repay the massive loans necessary for the attack.
The tracker even used 100 ETH to fund a Gitcoin grant on Tornado, according to “pantsme,” a pseudonymous blockchain developer. The exploiter kept about $19.9 million for themselves.