CREAM V1 Exploit: Loss Event Details & Claims Filing
What Happened
On 27 October, 2021, at 13:54 UTC, the CREAM V1 lending/borrowing market was exploited and liquidity was removed. The attacker was able to remove ~$130m USD. No official post-mortem report has been released at this time, though the CREAM Twitter account did provide the following statement:
In lieu of a post-mortem, there are several analysis reports cited below in the Resources section.
What Happens Now
It is likely that the CREAM development team and others in the DeFi community are working to mitigate any further losses and determine the cause of this attack. The post-mortem report is forthcoming, and until that time, Claims Assessors — members who stake NXM and review the validity of submitted claims — will evaluate Protocol Cover claims filed in the coming days using the analysis presently available, some of which is included below. Claims Assessors can use a variety of data to evaluate claims; for examples of data, see the What You Do entry in the Claims Assessment section of the Nexus docs.
For Protocol Cover policies, there is a 72-hour cool-down period, which is included to allow Claims Assessors time to gather analysis, review exploit transactions, discuss claims, and work together to review claim submissions.
The cool-down period ended on Saturday, 30 October, 2021, after 1:54pm UTC.
As of 1:55pm UTC on 30 October, 2021, Protocol Cover holders who purchased a CREAM V1 policy before the exploit took place and held active cover (i.e., not expired) are now able to file claims. Any member can file a claim but if a policy expired before the exploit took place or cover was purchased after, those claims will not be eligible for payouts. You can review the complete Protocol Cover wording for more information.
Members who file a claim and receive a full payout from the mutual will be required to give any future rights to compensation from the CREAM development team, if plans for compensation are released after full claim payouts have been made, to the mutual. The language in the UI states:
By making a successful claim and receiving a payout (i.e., reimbursement) from Nexus Mutual, you agree to give rights to any future reimbursements from CREAM Finance — including any reimbursement tokens that the CREAM team decides to distribute in the future — to Nexus Mutual.
This prevents affected users from receiving two payouts.
Claims Filing
If you held a CREAM V1 Protocol Cover policy that was active at the time the exploit occurred and you incurred a loss of 20% or greater, you are eligible to file a claim for Claims Assessors to review, as specified in the Protocol Cover wording. The Claims Assessment section below describes how the Claims Assessment process works.
Below is a record of the Cover IDs for valid CREAM V1 Protocol Cover policies that were active when the exploit occurred:
Now that the cool-down period has ended, members who hold CREAM V1 Protocol Cover can file a claim. For information on how the claims filing process works, see our How to File a Claim walkthrough.
Nexus Mutual requires proof of loss for Protocol Cover claims. Be sure to provide proof of loss if you file a claim.
For members who deployed assets from an address other than their whitelisted membership address, you can review the walkthrough (i.e., How to File a Claim) to see how that process works. We also have a FAQ entry about covered assets deployed from your non-whitelisted address.
Claims Assessment
Members who file claims can submit a claim up to two times; 10% of your cover cost is reserved for filing claims, as outlined in the diagram below.
Once claims are submitted, Claims Assessors can then review and assess the validity of submitted claims. Any member can act as a Claims Assessor by staking NXM to participate in the claims voting process.
To become a Claims Assessor for the first time, any amount of NXM can be staked for the initial staking period. When voting on a claim, the stake period is extended by the staking extension period (7 days). This means your NXM will be staked for a minimum of 7 days; however, you can only participate in Claims Assessment after NXM has been staked.
Should the assessor vote with the consensus outcome, this extension period is removed; should they vote against the consensus outcome, it remains in force.
When submitted, a claim first goes to the Claims Assessor group for voting. When voting on a claim a Claims Assessor’s entire stake is applied to that claim as the voting weight. This is used to determine the voting outcome as well as determine the proportionate share of Fee Pool rewards, or the rewards Claims Assessors receive for voting honestly with the consensus.
The voting period lasts for a minimum of 36 hours. After this point the vote automatically ends on the earliest of either when:
- voting stakes of greater than 10x the cover amount have voted; or
- 72 hours have passed.
The stake weighted voting outcome then determines the claim result. A claim is escalated to a full member vote if either:
- Voting consensus is below 70%; or
- Voting weight is less than 5x the Cover Amount.
You can read more about the Claims Assessment process in the Nexus docs.
Join the Claims Assessment discussion in the Nexus Mutual Discord.
Review claims in the Nexus Mutual dApp.
What Prevents Claims Assessors from Denying My Claim?
The Claims Assessment process is designed like an optimistic oracle, but instead of code, humans act as the oracles. The system is designed so that any attack would put more capital at risk than any potential profit that could be gained or any capital staked in Risk Assessment that could be saved.
Read more about the Advisory Board’s role in the Claims Assessment process in the docs.
Resources
- Banteg tweet: Understanding Cream exploit
- BlockSec: Initial Analysis of the CREAM Finance Attack
- CREAM Finance Exploiter’s Transaction: Etherscan
- Igor Igamberdiev tweet: Creamdotfinance
- Mudit Gupta: Analysis of the $130m+ Cream hack
- SlowMist Analysis: Cream Hacked Analysis
