• Cream Finance offers the attacker 10% of the stolen funds as a bug bounty on fund return

  • Cream Finance stated in its post mortem of the third hack of the year, this time involving $130 million, that they are working with authorities to identify the attacker.

    Only the Ethereum v1 markets were impacted by the hack, and all other v1 markets and the Iron Bank were unaffected, it added. The vulnerability has now been patched as well.

    What happened, according to the decentralized finance (DeFi) project Cream Finance, was a combination of economic and Oracle exploits.

    The attacker flash borrowed DAI from lending protocol MakerDAO to create a large number of yUSD tokens while simultaneously exploiting the price oracle calculation for yUSD price through manipulation of the multi-asset liquidity pool on which the price oracle relied — all in a single transaction.

    The attacker’s yUSD position was artificially increased by increasing the yUSD price per share, creating a sufficient borrow limit to remove the vast majority of liquidity from C.R.E.A.M. Ethereum v1 markets, according to the team.

    As a result, all interactions with Cream’s Ethereum v1 markets have been halted, and crTokens on them have been locked, rendering them non-transferable.

    “The main flaw is in the price calculation of a wrappable token.” “We have ceased all supply and borrowing of wrappable tokens, including all PancakeSwap LP tokens,” the team stated.

    Meanwhile, the Yearn Finance team successfully recovered $9.42 million that the attacker had donated to the yUSD vault as part of the attack. The funds will be returned to the Cream multisig as soon as possible.

    The team is currently working on a plan to restore lost funds, beginning with a partial payment, the details of which will be shared in the coming days.

    Cream Finance has also announced a bug bounty program in which the attacker is encouraged to contact the team and return users’ funds in exchange for a 10% cut of the funds.

    “They have an impact on everyday DeFi users, and we would like them to do the right thing,” Cream Finance said.

    As a result of the attack, the total value locked (TVL) in the project dropped by $370 million to $1.32 billion last week, but has since recovered to $1.44 billion.

    The CREAM token’s price, like that of the funds, has not recovered its losses. The price is currently trading at $101.11, close to the $98.41 low reached last week, and is down 73 percent from its all-time high of $374 set in February.

    What's your reaction?