Published in


Hack Analysis: Cream Finance Oct 2021



Root Cause

Snippet 1. CREAM oracle deriving price from pricePerShare
Snippet 2. Price Per Share calculations given by yUSD


Snippet 3: Contract B
Snippet 4: Main Attack Contract

Getting Collateral

Snippet 5: DAI Flash Mint
Snippet 6: Ether Flash Loan


Snippet 7: DAI to yUSD
Snippet 8. Depositing yUSD as CREAM Collateral
Snippet 9. Unwrapping WETH and Passing control to Contract B
Snippet 10. Depositing Eth using Contact B and Borrowing yUSD Against It
Snippet 11. Recursive Borrowing.
Snippet 12. Inversion and Value Inflation
Snippet 13. Borrowing all liquidity from target markets
Snippet 14. Depositing Eth into WETH contract
Snippet 15. Withdrawing from 4-curve to DAI
Snippet 16. Swapping extra WETH to USDC/DAI and Swapping USDC to DAI


Entire Contract A



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.