The attacker exploited a vulnerability in the Iron Bank DeFi protocol (the second version of the Cream Finance project) and withdrew $ 37.5 million in tokens.
“We are aware of the potential vulnerability and are studying it. Thank you for your support in our investigation, ”wrote representatives of Cream Finance.
The Block analyst Igor Igamberdiev counted $ 37.5 million in project losses due to an exploit. He also outlined the sequence of the hacker's actions.
“The attacker used the Alpha Homora service to borrow funds from IronBank. Each time he borrowed twice as much as in the previous case. "
“He did this through two transactions, each time lending funds back to IronBank and receiving cySUSD.
At some point, the attacker received USDC worth $ 1.8 million using an instant loan on the Aave platform. Then he exchanged USDC for sUSD using Curve. "
He then deposited sUSD with IronBank. This allowed the hacker to continue borrowing and lending funds, receiving cySUSD at the exit.
“Of course, some of the sUSD was spent to pay off the instant loan,” the researcher emphasized.
“An instant loan of $ 10 million was taken, which was also used to increase the number of sUSD. Ultimately, cySUSD at his disposal reached such a number that it allowed him to borrow anything from IronBank. "
After that, he deposited stablecoins on various services, including Aave (v2) and Alpha Homora (1000 ETH). Almost 11,000 ETH remained in the attacker's address, 100 ETH he donated to the mixing service Tornado.Cash, and 1000 ETH was sent to the address of the IronBank contract. Against the background of the incident, the price of the CREAM token fell from levels around $ 290 to $ 220.
