A $37 Million DeFi Heist Cost Attackers Just $15,000 in Transaction Fees

The price of C.R.E.A.M., the token that powers an eponymous decentralized finance lending protocol, today crashed from $288 to $193 in just one hour following an apparent flash loan exploit that drained $37 million from the protocol. C.R.E.A.M.’s price is now $223. 

No official confirmation of the attack has been given by Cream Finance, but the team tweeted to announce their awareness of a ‘potential exploit.’ More than two hours later, fellow DeFi protocol Alpha Finance announced it had also been the victim of an ‘exploit.’

In an analysis of the attack, The Block’s crypto researcher, Igor Igamberdiev, concluded that experienced DeFi hackers hauled over $37.5 million in a complex and multi-step attack involving flash loans—instant crypto loans. 

The attackers took out crypto loans from lending protocols and then and then invested them into CREAM’s lending platform, Iron Bank. Iron Bank had been recently upgraded to enable collateral-free borrowing from Alpha Finance, and the exploiter received special derivatives tokens called cySUSD. 

A Flash Loan Con

The exploiter took out enough loans that they got a tremendous amount of cySUSD tokens, which they could use to “borrow anything from IronBank,” tweeted Igamberdiev. 

So the exploiter borrowed 13,244 ETH ($23.8 million), $3.6 million in US dollar stablecoin USDC, $5.6 million in US dollar stablecoin USDT and $4.2 million in a decentralized US dollar stablecoin, DAI. That amounts to about $37 million. 

According to the blockchain trail, 1000 ETH ($1.8 million) was refunded to both Alpha’s protocol and Cream Finance, and another 320 ETH ($577,238) sent to Tornado, a privacy tool for Ethereum, and more yet to repay the massive loans necessary for the attack. 

The tracker even used 100 ETH to fund a Gitcoin grant on Tornado, according to “pantsme,” a pseudonymous blockchain developer. The exploiter kept about $19.9 million for themselves.

And the whole exploit cost just $14,754 in Ethereum gas fees to pull off.

Teething troubles

Alpha Finance since tweeted that the loophole has been patched, and Cream Finance also tweeted that “C.R.E.A.M. contracts and markets were investigated and found to be functioning as normal,” but for many it’s a reminder of the precariousness of DeFi protocols.

DeFi is susceptible to flash loan exploits like this. In a notable case before Christmas, the newly launched Warp Finance DeFi platform was taken for $7.7 million in stablecoins in another flash loan attack. And in one attack against crypto lending platform Compound, exploiters took home $89 million. 

It’s clear, then, that more work needs to be done to prevent crypto from leaking out of the DeFi bucket. 

Total
0
Shares
Dodaj komentarz

Podobne Wpisy