Cream Finance, decentralized finance (DeFi) protocol part of the Yearn Finance ecosystem, was hacked for the second time. This time, the company’s Cream Liquidity Pool tokens and other ERC-20 tokens on the platform were taken, totaling $130 million.
An estimated $117 million was first attacked using a flash loan attack, a known vulnerability vector among DeFi protocols, according to an initial study by Chinese blockchain security and data analytics startup PeckShield Inc.
According to the attack’s transaction data, the yet-unidentified threat actor cut the majority of Cream’s L.P. tokens and changed them to DAI and U.S.D.C. The cash was transferred to other wallets after the addresses received two consecutive payments of $92 million and $23 million, respectively.
Following the hack, the $CREAM token of Cream Finance plummeted from a spot token price of $152 to $111 in less than an hour, an almost 30% loss. To date, the attack is the third-largest DeFi hack in history, behind the $611 million Poly Network theft and the $147 million Compound hack.
Cream Finance has not published a thorough statement on the incident as of press time. However, it recognized the assault and stated that it would investigate what occurred to its Ethereum-based C.R.E.A.M. v1 protocol.
Cream Finance has been the target of three attacks, having lost $37.5 million in February and another $18.8 million in August. Cream Finance’s C.R.E.A.M. Flash Loans initiative was established in April to provide undercollateralized loans to developers. Only roughly $90 million in liquidity was accessible through its Binance Smart Chain version at the time.