$37,500,000 Lost by CREAM DeFi in Largest Flash-Loan Attack Ever
Today, Feb.13, 2021, an attack was organized against the large-scale decentralized financial protocol CREAM. Users drained its v2, also named IronBank for $37,500,000.
One attack, five protocols involved
According to the official announcement by the CREAM team, an exploit of the protocol's mechanisms was disclosed on Feb. 13, 2021, at around 9:00 a.m. UTC. An investigation began immediately after this warning.
Seasoned crypto researcher Igor Igamberdiev promptly released his suggestions as to the attack's design. According to his report, the attackers used another top 10 DeFi, Alpha Homora, to authorize a series if borrowings of sUSD from IronBank. Then, all assets were immediately lent back to IronBank in order to receive cySUSD.
Then, the malefactors took out a flash-loan on Aave Protocol (AAVE) and swapped it for sUSD through Curve Finance (CRV). The entire massive amount of money was used to take more cySUSD again and again.
When the sum of cySUSD reached the level of "incredible," the hackers lent Wrapped Ethereums (WETH) and stablecoins (USDC, USDT and DAI) to their victim.
New normal?
As a result, 13,200 WETH, 3,600,000 USDC, 5,600,000 USDT and 4,200,000 DAI were transferred to the attackers' pockets.
They sent stablecoins to Aave, laundered some coins through Tornado Cash and granted 100 Ethers to Tornado. Thus, more than 11,000 Ethers (ETH) stayed in their wallet.
As covered by U.Today previously, top-league DeFi protocol Yearn.Finance (YFI) was drained by a similar attack nine days ago. As in Cream's case, the malefactors used a number of protocols to attack their victim.
Aggregated losses surpassed $11,000,000.