Thursday 28 October 2021 1:53 pm | Updated: Friday 29 October 2021 11:52 am

Cream Finance hacked for $130m in latest DeFi attack

Hacker steals $130m in Cream Finance exploit (Photo by Adam Berry/Getty Images)

Cream Finance, a lending protocol based on the Ethereum network, has lost $130m of assets in one of the biggest DeFi thefts to date.

The team behind Cream Finance confirmed its lending markets had been targeted by a large flash loan transaction, a type of exploit which is frequently used by hackers to target vulnerabilities in lending protocols.

“The attacker removed a total of ~$130m USD worth of tokens from these markets,” the team wrote. “With the help of friends from @iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them.”

The hacker concealed an unusual message in a string of code which accompanied the transaction used for the attack. They said: “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do,” in a comment which seemed to refer to Aave and Iron Bank, two other lending protocols.

The funds were initially sent to a single address, but have since been sent to multiple addresses and liquidity pools.

Yesterday’s attack was not the first time Cream has been involved in an attack with exploits draining $38m of funds in February and almost $19m in August.

The protocol announced that it had paused its lending markets on Ethereum while the company puts together a post-mortem review of the attack.

The attack, the largest in the history of DeFi, brings the total amount stolen in DeFi attacks to $403m according to data from The Block. While over $600m was stolen in an exploit of Poly Network earlier this year the majority of the funds were later returned.

Mary Beth Buchanan, Chief Legal Officer for blockchain analytics company Merkle Science, called on developers in the fast evolving DeFi space to “propose technical solutions to regulatory problems surrounding DeFi.”

“They need to be proactive in creating technical compliance solutions,” said Buchanan, who pointed out that protocol developers are best placed to identify systemic risks.