Cream Finance Hacked for $130 Million

The Intelligent Insurer #40 — Repeated exploits prompt calls for smart contract insurance from users

On Wednesday, October 27th, 2021, Cream Finance announced it was the victim of a hack with at least $130 million stolen from the decentralized lending platform. According to PeckShield, a flash loan was used to carry out this exploit. This incident comes close on the heels of a previous security mishap and has left users questioning the viability of DeFi protocols.

In the latest Intelligent Insurer, we highlight the details of this exploit, the response from the project’s team, and how members of the community are reacting to the situation. However, we’ll first highlight the progress we’ve made via our weekly development update.

Insured Finance development update

We made significant progress this week and completed testing on our closed Alpha release. We continued preparation by reaching out to auditors to validate our smart contracts and are working on improvements identified by our testers. We remain steadfast in our commitment to provide our users a secure digital asset insurance platform and continue to rigorously test it for bugs and improvements.

• Analytics are now fully integrated and our “create” and “take” listings have been improved following feedback from the community manager.
• We defined essential metrics for the INFI marketplace in preparation for our MVP presentation.
• We completed documenting all the analytics tools users have access to on our platform.
• We continue to improve platform security and are researching the implementation of proxy contract patterns so as to make our smart contracts upgradable.

Our next-generation digital asset insurance platform is primed to give users access to the products they need to gain more confidence in the DeFi ecosystem. Our commitment to user security and convenience is unparalleled as we continue to make improvements to our UI and UX.

Cream Finance suffers security exploit once again

Cream Finance is no stranger to hacks. The platform suffered an exploit on August 30th, 2021, when a hacker stole $19 million from the platform in ETH and AMP. On that occasion, most of the funds were returned. However, the platform wasn’t as lucky this time around.

Cream Finance confirmed the exploit via a tweet and announced that the Ethereum C.R.E.A.M v1 lending markets were exploited and liquidity duly removed. According to their reports, most of the stolen funds were in Cream LP tokens and other ERC-20 tokens.

https://twitter.com/CreamdotFinance/status/1453455806075006976?s=08

In a follow-up tweet, Cream Finance informed its users that with the help of DeFi community @iearnfinance, the vulnerability had been identified and patched. They also announced plans to release a post-mortem report, in what has now become the norm once an exploit has occurred. As of this writing, Cream has not announced any plans to compensate its users.

The DeFi community was understandably outraged at the latest incident. There is a fear that these security exploits are being normalized in the community, with project developers merely expressing “apologies and regrets” in tweets following such incidents.

This latest hack ranks as the third largest in history, per Rekt’s leaderboard. Alarmingly, this hack has triggered a second wave of panic due to a message the hacker left, where they mentioned other lending platforms.

(Source: Rekt.news)

Hacker’s message prompts digital asset insurance questions

The exploit revealed that the hacker had left a cryptic message behind, writing “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do.” The DeFi community focused on the mentions of Defi lending platforms Aave and Iron Bank, prompting fears of further exploits.

https://twitter.com/VadimKhramov/status/1453507131471278080?s=08

Some platform users expressed their dissatisfaction with the overall development, with concerns over repeated exploits on the vulnerability of Cream’s Flash Loan protocol. One user questioned the team for not having adopted Smart Contract Insurance yet.

https://twitter.com/garychang0122/status/1453546837969813504?s=08

This time, the stolen funds appear to have been moved to an unknown wallet, with no sign of retrieval yet, even after several days. This cycle of thefts, apologies, and promises of future updates shows no sign of slowing down and DeFi investors have every reason to be alarmed by these developments.

(Source: Nansen.ai)

Decentralized insurance platforms like Insured Finance are a stellar solution to such exploits. Users can purchase or provide insurance to digital assets and ensure their funds are always protected. DeFi protocols are technically complex and investors cannot comprehend all possible vulnerabilities. With project teams unable to guarantee fund safety, digital asset insurance is the way forward for the DeFi sphere.

About Insured Finance

Insured Finance is a decentralized, peer-to-peer insurance marketplace. Users can request customized insurance on a wide variety of digital assets, thereby ensuring full protection. Those fulfilling requests can earn premiums and earn a competitive return on their capital. Claims are fully collateralized and settled instantly.