Cream Finance Offers the Attacker 10% of Stolen Fund as Bug Bounty on Return of Funds
In its post mortem of the third hack of this year, this time of $130 million, Cream Finance shared that they are working with the authorities to trace the attacker.
In the hack, only the Ethereum v1 markets were impacted, and all the other v1 markets and the Iron Bank were safe, it added. The vulnerability has now also been patched.
As for what happened, the decentralized finance (DeFi) project Cream Finance noted that it was a mix of economic and oracle exploits.
The attacker flash borrowed DAI from lending protocol MakerDAO to create a large amount of yUSD tokens while simultaneously exploiting the price oracle calculation for yUSD price through the manipulation of the multi-asset liquidity pool that contained yDAI, yUSDC,yUSDT, and yTUSD on which the price oracle relied — all in a single transaction.
By increasing the increasing yUSD price per share, the attacker’s yUSD position was artificially increased, creating sufficient borrow limit to remove the vast majority of the liquidity from C.R.E.A.M. Ethereum v1 markets, explained the team.
In response, all the interactions with Cream’s Ethereum v1 markets have been suspended, and crTokens on them locked making them non-transferable.
“The key vulnerability lies in the price calculation of a wrappable token. We have stopped all supply/borrow of wrappable tokens, including all PancakeSwap LP tokens,” said the team.
The Yearn Finance team meanwhile successfully salvaged 9.42 mln which the attacker donated to the yUSD vault as part of the attack. The funds will soon be returned to the Cream multisig.
The team is currently working on a plan to restore funds lost, starting with a partial payment, which the details will be shared in the coming days.
Cream Finance also announced a bug bounty under which the attacker is encouraged to reach out to the team and return users’ funds in exchange for keeping 10% of the funds.
“They are impacting everyday users of DeFi, and we would like them to do the right thing,” said Cream Finance.
As a result of the attack, the total value locked (TVL) in the project had dropped by $370 million to $1.32 bln last week but hasn’t recovered as the TVL currently sits at $1.44 bln.
Much like the funds, the price of the CREAM token hasn’t pared its losses either. Currently trading at $101.11, the price is near the $98.41 low it dropped to last week and is down 73% from its all-time high of $374 hit in February.