On Wednesday, crypto lending service C.R.E.A.M. Finance was the target of a hack that stole over $130 million. It’s not only one of the largest heists ever targeting a so-called “decentralized finance” (DeFi) platform, but also the third such hack targeting C.R.E.A.M., demonstrating the risks inherent in the burgeoning crypto loan industry.
C.R.E.A.M. was targeted by what is known as a flash loan attack. Flash loans are uncollateralized cryptocurrency loans structured so that they must be paid back instantly using smart contracts, making them attractive for things like arbitrage across exchanges. If the loan isn’t paid back, then it never happens, because both occur in the same transaction.
Analysts on social media who pored over the details of the attack suggested that the hacker exploited C.R.E.A.M. in an incredibly complex transaction for a flash loan that ultimately allowed the hacker to drain C.R.E.A.M.’s Ethereum-based lending pools, leading to a gain of around $130 million in different tokens. The attack cost the hacker roughly 9 ETH in network fees, or around $36,000.
The attacker left a bizarre message in the transaction text: "gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do." Aave is a competing crypto lending platform, while Iron Bank is a protocol-to-protocol lending service founded by C.R.E.A.M., which also refers to it as C.R.E.A.M. v2. According to C.R.E.A.M, its v1 lending service was targeted. In a tweet thread on Wednesday, the platform claimed that the vulnerabilities that allowed the hack to take place have since been patched.
“We apologize to our users and community for this unfortunate incident and thank you for your support,” C.R.E.A.M. tweeted.
The platform has fallen victim to hacks in the past. In August, $18.8 million was stolen from C.R.E.A.M in a flash loan attack, The Block noted, and even earlier, in February, $37.5 million was stolen through C.R.E.A.M. via similar means.
The C.R.E.A.M. hack demonstrates the acute risks that come with crypto lending, which is an emerging industry encompassing billions of dollars in value. The basic idea is similar to a savings account with a bank, where you deposit money that the bank then lends out to clients and gives you interest. Similarly, C.R.E.A.M. and other services allow users to put their crypto into a pool to be lent out by the platform in return for interest, usually much larger than what a bank offers. Importantly, while funds you put into a bank are federally insured, funds you put into a crypto platform are not.
Crypto loan services have come under fire from regulators in the U.S. recently. This year, regulators in three different states ordered BlockFi to shut down because it was offering unregistered securities, officials said. Major U.S.-based crypto exchange Coinbase also planned a loan offering but scrapped it after the Securities and Exchange Commission threatened to sue the company if it introduced the product.
Over the past year, C.R.E.A.M., which stands for “Crypto Rules Everything Around Me” in an homage to Wu-Tang Clan’s classic track, has tried to mainstream its offerings. It even posted a theme song it said featured Method Man, who pops up at the start of the video bellowing "Ayo this is Method Man and this is not financial advice."
C.R.E.A.M Finance did not respond to Motherboard’s request for comment.