$ 37 million DeFi Heist costs attackers just $ 15,000 in transaction fees

In short

  • The price of CREAM dropped 30% in one hour.
  • It appears to be related to a flash loan attack.
  • DeFi platforms are always susceptible to flash loan attacks.

The price of CREAM, the token that feeds an eponymous decentralized finance loan protocol, today went from $ 288 to $ 193 in just an hour following an apparent flash loan exploit that drained $ 37 million from the protocol. The price of CREAM is now $ 223.

No official confirmation of the attack was given by Cream Finance, but the team tweeted to announce their awareness of a “potential achievement”. More than two hours later, comrade Challenge Alpha Finance protocol ad he had also been the victim of an “exploit”.

In an analysis of the attack, The block‘s cryptography researcher, Igor Igamberdiev, concluded that experienced DeFi hackers hauled over $ 37.5 million in a complex, multi-stage attack involving flash loans – instant crypto loans.

The attackers took out crypto loans from lending protocols and then invested them in CREAM’s lending platform, Iron Bank. Iron Bank had been recently updated to allow unsecured borrowing from Alpha Finance, and the operator has received special derivative tokens called cySUSD.

A Flash Con loan

The operator took out enough loans to secure a huge amount of cySUSD tokens, which he could use to “borrow anything from IronBank,” Igamberdiev tweeted.

The operator therefore borrowed 13,244 ETH ($ 23.8 million), $ 3.6 million in US dollars stable currency USDC, $ 5.6 million in US dollars stable currency USDT and $ 4.2 million in a decentralized US dollar stablecoin, IAD. That’s about $ 37 million.

According to blockchain trail, 1,000 ETH ($ 1.8 million) was refunded to both Alpha’s protocol and Cream Finance, and an additional 320 ETH ($ 577,238) was sent to Tornado, a privacy tool for Ethereum, and more to repay the massive loans needed for the attack.

The tracker even used 100 ETH to fund a Gitcoin grant on Tornado, according to “pantsme”, a pseudonym blockchain developer. The operator kept about $ 19.9 million for himself.

And the whole feat only cost $ 14,754 in Ethereum gas fees to be withdrawn.

Teething problems

Alpha Finance has since tweeted that the flaw has been patched, and Cream Finance too tweeted that “CREAM contracts and markets have been investigated and found to be functioning normally”, but for many this is reminiscent of the precariousness of DeFi protocols.

DeFi is sensitive to flash loan exploits like this. In a notable case before Christmas, the new Warp Finance DeFi platform was taken for $ 7.7 million into stablecoins in another flash loan attack. And in an attack on the crypto lending platform Compound, the exploiters took away $ 89 million.

It is therefore clear that more work needs to be done to prevent crypto from escaping the DeFi compartment.

About Alma Ackerman

Check Also

Hawthorn Bancshares, Inc. (NASDAQ: HWBK) Declares Quarterly Dividend of $0.17

Hawthorn Bancshares, Inc. (NASDAQ: HWBK – Get a rating) announced a quarterly dividend on Friday, …

Leave a Reply

Your email address will not be published.