Cream Finance

Abstract

Cream Finance is a decentralised lending protocol. The most notorious thing about it is it had been attacked by Flash Loan attack three times. We pick one of the attacks to analyse.

The main vulnerability is it used price feed from oracle directly, which could be manipulated by large capital borrowed from flash loan.

Status

Fixed

Flash Loan Steps

Exploiter's address

https://etherscan.io/address/0x24354d31bc9d90f62fe5f2454709c32049cf866b

Attack Tx

https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92

Borrow 500M DAI from DssFlash and covert to 450M yDAI
Transfer yDAI to Curve.fi pool and convert it to 447M Curve.fi yDAI/yUSDC/yUSDT/yTUSD token and 446M yUSD.
Transfer 446M yUSD to Cream and get 22.3B crYUSD; Transfer 447M Curve.fi yDAI/yUSDC/yUSDT/yTUSD token into strategy pool.
Exploiter Contract 2 borrowed 524K WETH from Aave flash loan then transferred 6K WETH to Exploiter Contract 1.
Borrow 24.95M crETH with the remaining 518K WETH.
Exploiter 2 borrowed 446M yUSD and swapped them for 22.3B crYUSD then transferred Exploiter 1.

... The whole process is too long to elaborate on, if you're interested you can find the details in the transaction record. These steps were aimed to tilt the exchange rate significantly.

Finally, by manipulating price differences, the attack borrowed a large amount of capital and then repaid flash loan, the remaining was his profit.

Summary

Price feed from oracle
Oracle calculated share by the asset pool usage
Manipulate share to manipulate price

PreviousFlash Loan NextGeneral NFT

Last updated 2 years ago