Twitter user josebaredes posted this afternoon that Cream Finance was hacked, and it looked like they had earned 13,000 ETH (after verification by multiple sources, it was greater than this figure, which was actually about $37.5 million). At this time, Yearn founder Andre Cronje and Cream founder Jeffrey Huang were talking and laughing at ClubHouse.
secondary title
How exactly was Cream Finance hacked?
The Block research analyst @FrankResearcher analyzed the process of the theft of approximately $37.5 million in assets from IronBank, a zero-collateral cross-protocol loan launched by Cream Finance, on Twitter.
The specific attack operations of hackers are as follows:
1. The attacker uses Alpha Homora to borrow sUSD from IronBank, and each time the borrowed funds are twice as much as the previous borrowing.
2. The attacker completes the task through two transactions, and each time lends funds to IronBank to obtain cySUSD.
3. At some point, the attacker took a $1.8 million USDC flash loan from Aave v2 and used Curve to swap USDC for sUSD.
4. The attacker lends sUSD to IronBank so that they can continue to obtain cySUSD.
5. Some sUSD is used to repay the flash loan.
6. In addition, a flash loan of $10 million was also used to increase the volume of cySUSD.
7. Eventually the attackers obtained a huge amount of cySUSD, which allowed them to borrow any asset from IronBank.
8. Then the attacker borrowed 132,000 WETH, 3.6 million USDC, 5.6 million USDT, and 4.2 million DAI.
secondary title
Cream's current investigation progress
After Cream.Finance discovered the loophole, it first tweeted "IronBank's asset borrowing has been suspended" and "CREAM v1 funds are safe", and the official deleted these two tweets soon after.
Then Cream.Finance tweeted again: The investigation of the Cream contract and the market has been completed, and it is currently operating normally. Both V1 and V2 have been re-enabled. The inspection report will be issued later.
secondary title
Disadvantages and reflections brought about by rough and fast DeFi development methods
The frequent occurrence of vulnerabilities in DeFi projects today shows the problems behind the rapid development of DeFi. Perhaps it is time for DeFi developers to slow down and think about it. After Cream.Finance and other DeFi projects were attacked, Shenyu posted on Weibo that the rough and fast DeFi development method represented by AC (YFI founder Andre Cronje) lacked regression testing, and its drawbacks began to appear. It is worth mentioning that several projects in the Yearn ecosystem have been hacked. These include Pickle, SushiSwap, Yearn, and Cream today.
On February 12, according to the official website of Delaware, in addition to YFI, Grayscale Investment also newly registered SNX (Synthetix), SUSHI (Sushiswap), STX (Blockstack) and COMP (Compound), MKR (MakerDAO ) five trust fund products, all of which were registered on February 10.
Although the CEO of Grayscale once stated that registering a trust entity does not mean that corresponding products will be launched, users are advised to invest carefully. However, the market was extremely excited by the news, which prompted these DeFi projects to rise rapidly in the past two days, and the price of YFI even surpassed BTC at one point. However, today's hacking incident directly affected market confidence, leading the decline in DeFi, and the market seemed to calm down a lot.
The development of DeFi is similar to Lego blocks. Its composability and scalability have brought new development space for the blockchain industry; however, if there is a problem with one of the "building blocks" in DeFi, it is very easy to cause a systemic collapse. Thereby causing irreparable losses to users. The DeFi industry is still very young, and the test of time is still very short. After hacking incidents have occurred one after another, developers may also re-examine the crises and opportunities brought by DeFi, so as to create a decentralized system that can truly stand the test of time. financial system.
