Close Call For Cream Finance
Cream Finance comes close to a $100k bug exploit
Cream Finance, a top-20 DeFi protocol with over $500 million USD in locked liquidity, recently had a close call with a “critical” bug that would have allowed a malicious actor to drain $100,000 from one of the protocol’s smart contracts. The smart contract was associated with a discontinued liquidity mining program but the bug still allowed attackers to drain funds from the protocol.
In the latest Intelligent Insurer, we review the details of the Cream Finance bug and highlight how the vulnerability was addressed. We also consider the broader risks of the DeFi ecosystem and how DeFi users can protect themselves against such risks.
What is Cream Finance?
Cream Finance is a decentralized lending protocol that is part of the Yearn Finance ecosystem. Based in Taiwan, the protocol offers versatile services to its users including borrowing, lending, flash loans, and support for both Ethereum and Binance Smart Chain. The protocol is also integrated with Ethereum infrastructure solution Polygon which allows Cream users to benefit from faster transactions and lower fees.
Since launching, Cream Finance has attracted over $7.5 billion from liquidity providers, ranking it among the biggest decentralized lending protocols. The protocol offers attractive borrowing and lending rates in multiple assets including USDT, BAL, BUSD, CRV, DAI, WBTC, and many more! At the time of writing, the lending and borrowing rates for USDT on Cream Finance are 5.7% and 15.26% respectively.
(Source: Skew.com)
Cream Finance Bug Discovery
The smart contract bug discovery was associated with a discontinued liquidity mining program. In April, Cream Finance launched a $1.5 million bug bounty program that would reward white hat hackers who uncovered vulnerabilities in Cream Finance’s smart contracts and web applications. Cream’s bug bounty program would specifically work with Immunefi, Armor.fi, and DeFiSafety.
A co-founder of Armor uncovered a bug in mid-June which would allow an attacker to drain funds from a liquidity mining program which was already discontinued at that point. The attack held the potential to drain roughly $100k worth of funds from the protocol. Azeem, the co-founder of Armor who uncovered the bug, was rewarded roughly $20k for the bug discovery.
Bug bounty comes through for Cream Finance
If you have been following the Intelligent Insurer for a while, you will be acutely aware that Cream Finance is only one of many DeFi protocols with vulnerabilities that hackers could exploit. Fortunately for Cream Finance users, the project team had the $1.5 million bug bounty program in place to help uncover such bugs.
However, most DeFi projects only uncover their vulnerabilities once they’re already exploited. In the Intelligent Insurer releases, we have covered a myriad of such scenarios in 2021. Titan DeFi, PolyButterfly, and several Binance Smart Chain projects have all been at the receiving end of attacks in the DeFi space.
For the users of such protocols, their locked capital remains exposed to such risks. Digital asset insurance solutions like Insured Finance is one of the strategies that DeFi users can employ to protect against such risks. Insured Finance is the first two-sided digital asset insurance marketplace that allows users to secure tailored coverage against specific risks such as rug pulls, smart contract exploits, and exchange hacks.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Insured Finance users can request customized insurance on a wide variety of digital assets. Those that fulfill requests earn premiums and can earn a competitive return on their capital. Claims are fully collateralized and settled instantly.