$100 000 USD

JUNE 2021




"C.R.E.A.M. Finance is a decentralized lending protocol for individuals, institutions and protocols to access financial services. Part of the yearn finance ecosystem, it is a permissionless, open source and blockchain agnostic protocol serving users on Ethereum, Binance Smart Chain and Fantom. Users who are passively holding Ethereum or Bitcoin can deposit their assets on C.R.E.A.M. to earn yield, similar to a traditional savings account."


"Cream Finance formerly had a liquidity mining rewards contract that they recently discontinued prior to the reporting of the vulnerability. The liquidity program allowed users to accrue CREAM tokens as mining rewards for depositing or borrowing using the protocol." "Although the contract was not issuing new rewards, it still was issuing rewards in response to users who had participated in their liquidity mining program prior to its discontinuation."


"Azeem, Co-Founder of DeFi protocol Armor, became aware of a vulnerability in Cream Finance circulating in the wild and promptly reported it to Immunefi on June 13. The vulnerability was rated as “critical” because it allowed a malicious user to drain Cream’s liquidity mining rewards contract of approximately $100,000 in CREAM tokens, even though it had been discontinued and was not issuing new rewards."


"[T]he vulnerability consisted of a failure to validate whether a given user making a rewards claim had participated in their liquidity mining program from the appropriate time. In other words, using the front end of the Cream Finance interface, a malicious user could claim rewards as if they had been participating in the liquidity mining program from the beginning. No unit test existed to prevent this from happening."


"The step by step method to exploit the vulnerability was as follows: (1) Deposit CRV in Cream Finance in new interface. (2) Navigate to Classic.cream.finance/rewards to earn an instant mint of 6% APY up front in CREAM tokens. This only worked with CRV and only worked once per wallet. (3) Swap CRV to ETH. (4) Send to new wallet. (5) Swap back to CRV. (6) Repeat exploit to obtain another instant 6% APY minted up front in CREAM rewards using the same CRV in step 1. This process could have been repeated until the contract was fully drained."


"Although the vulnerability had been exploited for a minor amount, it does not appear as though any malicious users exploited the contract for a significant profit in an automated fashion."


"Cream Finance patched [the] bug after it was responsibly disclosed by Armor’s Azeem." "Cream Finance issued a fix to the Comptroller contract on June 14, the day after the vulnerability was reported." "Cream Finance has awarded Azeem with a bounty of 135 CREAM, which was 20% of the contract’s TVL at the time of the report. The current market rate of that bounty comes out to $20,750."


"We’d like to thank the Cream Finance team for paying out a bounty to the whitehat that was 20% of contract TVL."

Cream Finance had a liquidity mining rewards contract. This included a smart contract hot wallet with $100k of funds available to hackers, due to an oversight which allowed users to claim rewards as though they'd been participating in the program since the beginning.


Due to a responsible disclosure, the bug was fixed. The bounty paid to the discloser was ~20% of what could have been stolen.


In this case, only a small amount of funds were exploited through the vulnerability before it was responsibly disclosed.


While security audits and bug bounties will assist with security, the only certainty is simple offline multi-signature storage for funds. Small funds in smart contract hot wallets can be self insured or insured through smart contract insurance.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.