Decentralized finance (DeFi) money market and lending service CREAM Finance appears to have been the target of a devastating exploit Wednesday that drained over $1 billion in funds, likely the largest exploit to date.
According to CREAM’s native frontend, most Ethereum-based pools are now empty.
The funds appear to have been taken using a flash loan in a notably complex transaction that involved 68 different assets and cost over 9 ETH in gas.
At the time of writing the attacker’s contract holds $92 million in various crypto assets, and the contract creator’s address holds $22 million.
The attacker is now using various privacy-preserving mixing services, such as Curve’s 3pool, to ‘wash’ the funds.
A CREAM representative did not respond to a request for comment by press time.
This is a developing story and will be updated.