Cream Finance Mining Reward Bug

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Cream Finance

Cream Finance had a liquidity mining rewards contract. This included a smart contract hot wallet with $100k of funds available to hackers, due to an oversight which allowed users to claim rewards as though they'd been participating in the program since the beginning.

Due to a responsible disclosure, the bug was fixed. The bounty paid to the discloser was ~20% of what could have been stolen.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7]

About Cream Finance

"C.R.E.A.M. Finance is a decentralized lending protocol for individuals, institutions and protocols to access financial services. Part of the yearn finance ecosystem, it is a permissionless, open source and blockchain agnostic protocol serving users on Ethereum, Binance Smart Chain and Fantom. Users who are passively holding Ethereum or Bitcoin can deposit their assets on C.R.E.A.M. to earn yield, similar to a traditional savings account."

"Cream Finance formerly had a liquidity mining rewards contract that they recently discontinued prior to the reporting of the vulnerability. The liquidity program allowed users to accrue CREAM tokens as mining rewards for depositing or borrowing using the protocol." "Although the contract was not issuing new rewards, it still was issuing rewards in response to users who had participated in their liquidity mining program prior to its discontinuation."

"Azeem, Co-Founder of DeFi protocol Armor, became aware of a vulnerability in Cream Finance circulating in the wild and promptly reported it to Immunefi on June 13. The vulnerability was rated as “critical” because it allowed a malicious user to drain Cream’s liquidity mining rewards contract of approximately $100,000 in CREAM tokens, even though it had been discontinued and was not issuing new rewards."

"[T]he vulnerability consisted of a failure to validate whether a given user making a rewards claim had participated in their liquidity mining program from the appropriate time. In other words, using the front end of the Cream Finance interface, a malicious user could claim rewards as if they had been participating in the liquidity mining program from the beginning. No unit test existed to prevent this from happening."

"The step by step method to exploit the vulnerability was as follows: (1) Deposit CRV in Cream Finance in new interface. (2) Navigate to Classic.cream.finance/rewards to earn an instant mint of 6% APY up front in CREAM tokens. This only worked with CRV and only worked once per wallet. (3) Swap CRV to ETH. (4) Send to new wallet. (5) Swap back to CRV. (6) Repeat exploit to obtain another instant 6% APY minted up front in CREAM rewards using the same CRV in step 1. This process could have been repeated until the contract was fully drained."

"Although the vulnerability had been exploited for a minor amount, it does not appear as though any malicious users exploited the contract for a significant profit in an automated fashion."

"Cream Finance patched [the] bug after it was responsibly disclosed by Armor’s Azeem." "Cream Finance issued a fix to the Comptroller contract on June 14, the day after the vulnerability was reported." "Cream Finance has awarded Azeem with a bounty of 135 CREAM, which was 20% of the contract’s TVL at the time of the report. The current market rate of that bounty comes out to $20,750."

"We’d like to thank the Cream Finance team for paying out a bounty to the whitehat that was 20% of contract TVL."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Cream Finance Mining Reward Bug
Date Event Description
June 13th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $100,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

In this case, only a small amount of funds were exploited through the vulnerability before it was responsibly disclosed.

While security audits and bug bounties will assist with security, the only certainty is simple offline multi-signature storage for funds. Small funds in smart contract hot wallets can be self insured or insured through smart contract insurance.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. No Title (Jul 24, 2021)
  2. Cream Finance Insufficient Validation Bug Fix Postmortem (Jul 24, 2021)
  3. C.R.E.A.M. (Jun 26, 2021)
  4. contracts/Comptroller.sol: fix rewards by bun919tw · Pull Request #90 · CreamFi/compound-protocol · GitHub (Aug 30, 2021)
  5. Cream Finance launches $1.5M bug bounty to improve DeFi security (Feb 8, 2022)
  6. Cream Finance Review: What You NEED To Know About CREAM!! (Feb 8, 2022)
  7. https://www.blockthreat.io/p/blockthreat-week-26-2021 (Feb 8, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Cream_Finance_Mining_Reward_Bug&oldid=4061"