In Brief:
- The CREAM Finance has been exploited for the third time, $130 million stolen.
- Total of $260 million is at risk.
- In order to “wash” the funds, the attacker is primarily using Ren’s Bitcoin bridge.
The CREAM Finance money market and lending service of Decentralized Finance (DeFi) has been hit by a devastating exploit Wednesday morning that drained over $260 million in funds, the second-largest attack so far.
Cream’s native front end reports that most Ethereum-based pools are empty, except for a 40 million $CREAM pool. As of October 23, the protocol’s Ethereum markets were worth $300 million.
The official Twitter account of Cream acknowledged the attack in a Tweet and investigated it.
DeFillama estimates the protocol has an additional $460 million of total value locked (TVL) across Binance Smart Chain, Avalanche and Fantom, Polygon, and Avalanche. It is not quite clear if those funds are also at risk or not.
In a highly complex transaction involving 68 different assets and over 9 ETH in gas, the funds appear to have been taken with a flash loan.
These exploits always come with some messages, so as happened in this case, on the transaction as shown on etherscan a message popped up “gÃTµ Baave lucky, iron bank lucky, cream not. ydev: incest bad, dont do.” This is not the first time exploiters left these kind of provoking messages, they have done this in the past as well.
Among the $260 million in losses, the attacker may have accumulated approximately $130 million in cryptocurrencies, of which $40.6 million may have been in illiquid crETH, a staked derivative of ETH which the attacker may be unable to sell.
Also Read: Lossless Helps The Cream Finance to Recover 5,152 Ether
In order to “wash” the funds, the attacker is primarily using Ren’s Bitcoin bridge, but individuals are also asking for donations through Ethereum transactions.
