on the crypto
Using flash loans, the hackers managed to steal around $ 37,5 million distributed in various cryptocurrencies and stablecoins.
A complex attack
The price of CREAM, the token that powers a decentralized financial lending protocol of the same name, today plummeted from $ 288 to $ 193 in a single hour following an apparent exploit via a flash loan that drained $ 37 million from the protocol. The price of CREAM is now $ 223.
No official confirmation of the attack was given by Cream Finance, but the team posted a tweet to announce that they are aware of a "potential exploit". More than two hours later, another DeFi protocol linked to the first and known as Alpha Finance announced that it had been the victim of an "exploit".
According to initial analyzes of what happened, it appears that one or more DeFi-savvy hackers stole over $ 37,5 million in a complex, multi-stage attack involving flash loans, aka instant crypto loans.
Hackers got a crypto loan from Alpha Finance, investing the money in CREAM's lending platform, Iron Bank. Iron Bank had recently been upgraded to allow unsecured lending from Alpha Finance, and the exploiter received special derivative tokens called cySUSD.
The flash loan strategy
The stealer managed to get enough loans to amass a huge amount of cySUSD tokens, which he could use to borrow anything on IronBank. It then borrowed 13.244 ETH ($ 23,8 million), $ 3,6 million in USDC stablecoin, $ 5,6 million in USDT stablecoin and $ 4,2 million in decentralized DAI stablecoin.
The sum is equivalent to approximately $ 37 million. According to the trace left on the blockchain, 1000 ETH ($ 1,8 million) were repaid to both the Alpha protocol and Cream Finance, and another 320 ETH ($ 577,238) sent to Tornado, an Ethereum privacy tool, in addition to other repayments made to cover the huge loans that were needed for the attack. The hacker kept around $ 19,9 million for himself, and the entire exploit only cost $ 14.754 in Ethereum blockchain fees to build.
DeFi problems
Alpha Finance tweeted that the bug had been fixed, and Cream Finance announced in another tweet that "CREAM contracts and markets have been inspected and found to function normally," but for many it is a reminder of the precariousness of DeFi protocols.
DeFi is susceptible to flash loan-based exploits like this one. In a notorious case before Christmas, the newly launched DeFi Warp Finance platform was robbed for $ 7,7 million in stablecoins in another flash loan attack. And in an attack on the Compound crypto lending platform, the exploiters took home $ 89 million. It is clear, therefore, that more needs to be done to prevent cryptocurrencies from continuing to be stolen from the DeFi environment.
