Decentralized finance (DeFi) money market and lending service C.R.E.A.M. Finance appears to have been the target of a devastating exploit Wednesday morning that drained over $1 billion in funds, likely the largest DeFi exploit to date. According to Cream’s native front end, most Ethereum-based pools are now empty. Per DeFillama, the protocol previously had $1.06 […]
Decentralized finance (DeFi) money market and lending service C.R.E.A.M. Finance appears to have been the target of a devastating exploit Wednesday morning that drained over $1 billion in funds, likely the largest DeFi exploit to date.
According to Cream’s native front end, most Ethereum-based pools are now empty. Per DeFillama, the protocol previously had $1.06 billion in total value locked (TVL), or invested.
Cream’s official Twitter account acknowledged the attack in a Tweet:
We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.
— Cream Finance 🍦 (@CreamdotFinance) October 27, 2021
The protocol has an additional $460 million in TVL across Binance Smart Chain, Polygon, Avalanche and Fantom. It is unclear if those funds are also at risk.
The funds appear to have been taken using a flash loan in a notably complex transaction that involved 68 different assets and cost over 9 ETH in gas. Of the $1 billion lost, the attacker netted roughly $130 million in various cryptocurrencies, of which $40.6 million may be in illiquid assets which could make them difficult to sell.
The attacker is now working to “wash” the funds primarily using Ren’s Bitcoin bridge. As is often the case following exploits, individuals are now using Ethereum transactions to ask for donations.
A Cream representative did not respond to a request for comment by press time.
UPDATE (Oct. 27 16:07 UTC): Added TVL information and new developments from attacker’s Ethereum address. Removed reference to Curve’s 3Pool as a mixer.