Summary
The attackers doubled the valuation of the collateral and profited by borrowing multiple assets with the overvalued collateral. This resulted in a loss of about more than $100M for Cream Finance.
Attacker Address
- EOA: 0x24354D31bC9D90F62FE5f2454709C32049cf866b
- Contract1: 0x961d2b694d9097f35cfffa363ef98823928a330d
- Contract2: 0xf701426b8126bc60530574cecdcb365d47973284
Transaction
Method
1. Flash Loan
- MakerDAO: $500M DAI
- AAVE: $2B ETH
2. Deposit $1.5b yUSD into Cream Finance as collateral
3. Increase price of the yUSD
pricePerShare = 4pool pool token.balanceOf(yUSD)/yUSD.totalSupply
Transferring 4pool token directly into the yUSD contract increase the “4pool pool token.balanceOf(yUSD)” while yUSD.totalSupply stay the same.
Attacker send $8M 4pool pool token into the yUSDVault directly, and that doubled the price of the yUSD
3. Borrow from Cream Finance
Attacker has deposited $1.5b yUSD, so Cream Finance think the collateral worth $3B.
- He could borrow 75% of the collateral.
- He borrowed $2B ETH to payback the flash-loan from AAVE
- He borrowed other tokens worth over $100M. This is the Cream’s loss by this hacking.
Victim
Victims are those who deposited the pools below.
- Cream Cream ETH 2 (crCRETH2)
- Cream Cream ETH 2 (crCRETH2)
- Cream SushiBar (crXSUSHI)
- Cream Wrapped NXM (crWNXM)
- Cream Perpetual (crPERP)
- Cream THORChain ETH.RUNE (crRUNE)
- Cream DefiPulse Index (crDPI)
- Cream Uniswap (crUNI)
- Cream USD Coin (crUSDC)
- Cream Fei USD (crFEI)
- Cream USDT (crUSDT)
- Cream yvCurve-stETH (crYVCurve…)
- Cream Gnosis Token (crGNO)
- Cream FTX Token (crFTT)
- Cream Yield Guild Games Token (crYGG)
Resources
For detail, please see the tweets below. They have much more information than I do.