Theft of $130 million! A Full Analysis of Cream Finance’s Fifth Hack This Year

5 min readOct 28, 2021

On October 27, BEOSIN’s Security Situational Awareness Platform revealed that the DeFi lending protocol Cream Finance was attacked again with a loss of $130 million. The stolen funds were mainly CreamLP tokens and other ERC-20 tokens. Regarding this attack, BEOSIN’s security technical team conducted incident analysis immediately.

#1 Event overview

How the attack happened

About 130 million U.S. dollars stolen! Cream Finance was hacked for the fifth time this year, and maybe it really has the tendency to attract the “scum”.

On October 28th, DeFi protocol Cream Finance issued a response to the flash loan attack, saying:

#2 Analysis of the incident in detail

How the attackers succeeded



Attack contract: 0x961d2b694d



Transaction hash.


1. The first step starts with a flash loan from

DssFlash (0x1eb4cf3a948e7d72a198fe073ccb8c7a948cd853) contract to borrow 500,000,000DAI.

2. Put DAI into yDAI

(0x16de59092dae5ccf4a1e6439d611fd0653f0bd01) contract as staking in exchange for 451,065,927.891934141488397224yDAI.

3. Put the exchanged yDAI tokens into y Swap

(0x45f783cce6b7ff23b2ab2d70e416cdb7d6055f51) to add liquidity and get 447,202,022.713276945512955672yDAI+yUSDC+yUSDT+yTUSD .

4. Next, use 447,202,022.713276945512955672yDAI+yUSDC+yUSDT+yTUSD as the stake and get 446,756,774.416766306389278551yUSD.

5. Then call the mint function in crYUSD and mint 22,337,774,341.38713187 crYUSD tokens.

6. Attack the contract

A(0x961d2b694d9097f35cfffa363ef98823928a330d) creates the attack contract in the constructor

B(0xf701426b8126BC60530574CEcDCb365D47973284) and after step 5, attack contract B borrows 524,102.159298234706604104 WETH from AAVE

7. B sends 6000 WETH to A

8. B converts the remaining WETH to ETH and uses this to call the crETH pool for staking.

9. Use the attack contract B to lend

446,758,198.60513882090167283 YUSD tokens and use them to mint crYUSD, return them after minting and send crYUSD to A. Repeat twice of this step.

10. Use attack contract B to lend

446,758,198.60513882090167283 YUSD and send it to A.

11. Swap out 7,453,002.766252 USDC in uniswap v3 using 1,873.933802532388653625 WETH.

12. Swap 3,726,501.383126 USDC to DUSD in

13. Exchange DUSD for

450,228,633.135400282653487952 yDAI+yUSDC+yUSDT+yTUSD.

14. Send 8,431,514.81679698041016119 yDAI+yUSDC+yUSDT+yTUSD directly back to the yUSD staking pool. As a result of using direct transfer, totalDebt remains the same and balanceOf(self) becomes larger, resulting in a larger totalAsset, which ultimately affects the price of the oracle to obtain pricePerShare becomes larger, i.e., more tokens can be borrowed by pledging yUSD.

15. Use the yUSD tokens as the stake to lend all the tokens supported by the cream protocol.

16. Finally, return the flash loan from the attack contract A.

#3 Case Review

What we need to pay attention to

This attack is typical flash loan to perform price manipulation, where a large amount of funds is obtained through the flash loan, and then a flaw in the design of the contract is exploited to drastically change the price to make profits. The price calculation of Cream’s oracle machine is related to the totalAsset of yUSD. When transferring funds directly to the yUSD contract, the Debt will not be updated, thus increasing the totalAsset, which will increase the price of yUSD and allow more funds to be borrowed from Cream.




Blockchian Security · IDE · Beosin-VaaS · Formal Verification · SAS | China leading enterprise in blockchain security field