Subscribe & Save 5% on Cryptonary Pro!

Another DeFi exploit: Cream Finance loses $37.5 million in a hack

  • A DeFi project loses $37.5 million in a security breach.
  • The attacker got away with Ether and stablecoins.
  • A prime suspect has been identified by Alpha Finance

Cream Finance, a multi-purpose DeFi project built on the Ethereum network, is the latest victim of a security breach.

The hacker made off with $37.5 million in Ether, USDC, USDT, and DAI.

IronBank attack

CREAM, an acronym for Crypto Rules Everything Around Me, acknowledged the hack in a social media post and is investigating.

While the project is still investigating how it was exploited, analysts claim that the hacker used Alpha Homora to borrow sUSD from IronBank. Each subsequent borrow was double the previous one.

They did this in two transactions, lending the funds back into IronBank and then receive cySUSD.

After several cycles of borrowing and lending, their cySUSD became so high that they could borrow anything from IronBank.

This led them to borrow 13.2K WETH, 3.6 million USDC, 5.6 million USDT, and 4.2 million DAI.

About $400 million worth of FTT could have been stolen but was “saved” after being withdrawn instantly.

Post-mortem to follow

Cream Finance provided an update and the protocol said that “contracts and markets were investigated and found to be functioning as normal.

Alpha Finance Lab said that they have “been notified of an exploit on Alpha Homora V2” and are working with Andre Cronje and Cream Finance to find a resolution.

The loophole has been fixed and a prime suspect has been identified already.


We will provide further updates.

Sign up for our FREE mailing list

Join 12,590 others now and get actionable research and analysis sent directly to your inbox.

Post a Comment


Delivered to your inbox, every Sunday evening.