Main navigation

$37,500,000 Lost by CREAM DeFi in Largest Flash-Loan Attack Ever

Sat, 02/13/2021 - 14:35
article image
Vladislav Sopov
IronBank, second iteration of CREAM decentralized financial protocol, falls victim to sophisticated flash-loan attack
$37,500,000 Lost by CREAM DeFi in Largest Flash-Loan Attack Ever
Cover image via
Read U.TODAY on
Google News

Today, Feb.13, 2021, an attack was organized against the large-scale decentralized financial protocol CREAM. Users drained its v2, also named IronBank for $37,500,000.

One attack, five protocols involved

According to the official announcement by the CREAM team, an exploit of the protocol's mechanisms was disclosed on Feb. 13, 2021, at around 9:00 a.m. UTC. An investigation began immediately after this warning.

CREAM's Ironbank exploited for $37,5 M
Image via Twitter

Seasoned crypto researcher Igor Igamberdiev promptly released his suggestions as to the attack's design. According to his report, the attackers used another top 10 DeFi, Alpha Homora, to authorize a series if borrowings of sUSD from IronBank. Then, all assets were immediately lent back to IronBank in order to receive cySUSD.

Then, the malefactors took out a flash-loan on Aave Protocol (AAVE) and swapped it for sUSD through Curve Finance (CRV). The entire massive amount of money was used to take more cySUSD again and again.

When the sum of cySUSD reached the level of "incredible," the hackers lent Wrapped Ethereums (WETH) and stablecoins (USDC, USDT and DAI) to their victim.

New normal?

As a result, 13,200 WETH, 3,600,000 USDC, 5,600,000 USDT and 4,200,000 DAI were transferred to the attackers' pockets. 

They sent stablecoins to Aave, laundered some coins through Tornado Cash and granted 100 Ethers to Tornado. Thus, more than 11,000 Ethers (ETH) stayed in their wallet.

As covered by U.Today previously, top-league DeFi protocol Yearn.Finance (YFI) was drained by a similar attack nine days ago. As in Cream's case, the malefactors used a number of protocols to attack their victim.

Yearn.Finance (YFI) Targeted by "Flash Loan" Attack, $11,000,000 Drained

Aggregated losses surpassed $11,000,000.

article image
About the author

Blockchain Analyst & Writer with scientific background. 6+ years in IT-analytics, 3+ years in blockchain.

Worked in independent analysis as well as in start-ups (, Monoreto, Attic Lab etc.)