Just when you thought it was safe to get in the defi water — another Defi attack.

5 min readOct 27, 2021

Todays’s headline hit hard: “DeFi Attack Drains $130M From CREAM Finance!”.

This event certainly raises plenty of questions.

What are the risks to investors, going forward? Was this attack an ominous milestone for the crypto currency sector; an example of a new threat? Was what happened a crime, like theft? Or was it simply a dramatic play by a sharp operator or operators?

I’ll break down this attack on CREAM Finance step-by-step, so you can build your knowledge and ultimately understand what the risks are for yourself because unfortunately this probably won’t be the last time it happens. Indeed, two similar attacks did take place earlier this year, in which attackers took off with a total of $56.3 million. But the attack on CREAM Finance is by far the biggest of its type we’ve seen to date, in dollar terms.

The WHAT

CREAM Finance is a DeFi lending protocol for individuals, institutions, and other protocols to access decentralized financial services. This attack on it was carried out using advanced programmatic trading to place orders on exchanges (that is, it wasn’t executed by manually placing trading orders on exchanges but via a software program).

What happened in the attack on CREAM Finance, was really nothing new: it was a form of arbitrage. Arbitrage is the practice of borrowing money to trade any kind of asset (like a stock, a currency, a bond, etc.), in order to take advantage of differing prices for that asset on various exchanges. Price discrepancies may exist for only a few seconds — or less.

A discrepancy in price can be minuscule fractions of a cent, but when executed at scale it rapidly adds up to millions in profit. This is what we saw in the attack on CREAM Finance.

By the way, arbitrage is not a crypto-only phenomenon. It’s been taking place probably for as long as exchanges have existed. Indeed, there are massive financial firms that specialize in arbitrage. As an example, a single firm may manage over $1 billion in digital assets and trade $1–10 billion per day across thousands of crypto products, all through the use of programmatic trading. (Alongside these are retail traders who implement similar arbitrage strategies but not nearly at the same scale).

It’s also worth noting that arbitraging doesn’t require expertise in the cryptocurrency tokens themselves. The arbitrageurs didn’t need to know about the tokens or hold any views on their long-term potential. They only cared that there was a price discrepancy of tokens in different markets. So they took advantage.

The HOW

A stand-out element of the DeFi attack on CREAM is that the attackers employed something called a flash loan to fund their transactions.

A flash loan is an innovation of DeFi finance. A flash loan enables borrowing — without collateral or credit checks — for a few seconds so that some transaction can be carried out and the loan repaid. It is a new and exciting concept and has no traditional finance counterpart or analogy.

It exists due to the properties of blockchains themselves, which enables zero default risk, making collateral or credit checks irrelevant. Implemented via a smart contract, the borrower must pay back the loan in the same transaction. All parts of the programmed flash loan contract must be executed, or none of them are. If the funds are not repaid, then the loan is not made. The transaction is cancelled in its entirety, like the loan was never made.

To net it out, flash loans enable tokens to be borrowed, transactions undertaken, and the loan repaid, all as part of a single smart contract on a blockchain. Invented fairly recently (by Marble Protocol in 2018), the flash loan product has spread rapidly to a number of Ethereum-based DeFi lending platforms including dYDdX and Aave, and is used to fund and execute arbitrage trades.

In the attack on CREAM Finance, $1.5 billion in flash loans and market price manipulation combined to powerful effect.

Using $1.5B billion in DAI borrowed in flash loans from Maker, the arbitrageurs were able to manipulate the price of the crYUSD token on CREAM. They were able to artificially double the price of the crYUSD token from its “real” value of $1 to $2.

It sounds relatively straightforward, but the CREAM attack was complex to execute. It involved multiple Ethereum wallets and it was executed via dozens of discrete steps. This thread on Twitter by Mudit Gupta breaks down the attack by each step, along with his blog post detailing 29 steps, here.

My takeaway

But was a crime committed by the attacker or attackers, who set up the programmatic trading bot which took off with $130m in profit? Was this event an act of theft? Some reports stated the $130m was ‘stolen’ from CREAM Finance’s liquidity pools.

However, in my opinion, the Defi Attack on CREAM Finance did not reach the status of a crime. Instead, this was an event where the weaknesses in a system were exploited. The fact that prices can be exploited and that a slippage in prices can be induced intentionally, is not the attacker’s fault.

In financial markets arbitragers are always operating, undertaking trades to exploit price discrepancies between assets and, in doing so, providing significant benefits to the markets. Cryptocurrency is a new market, and a new place in which to exercise arbitrage opportunities.

What can crypto exchanges do about flash loan attacks?

One way to dampen the impact of a flash loan attack is for an exchange to make the prices it hosts less susceptible to manipulation, so that significant price differences don’t emerge in the first place for bad actors to exploit.

A way to do this is to refer to third party prices, known as Oracles. These draw prices from multiple sources and are less vulnerable to being manipulated. An Oracle helps keep the price stay in line with the value of a token. Elsewhere, exchanges can also run simulations to determine if there is a problem that’s ripe for exploitation and then block trades that look dodgy.

How can you reduce the risk of falling victim to a flash loan attack?

Basically, you should pay attention to news and rumors. Keep track of the news regarding exchanges that you use and assets which you trade. One investor who seems to have taken action in the wake of the CREAM attack, is investor and TRON-founder Justin Sun. At the end of October, Sun withdrew around $6.8bn in USD, BTC and other crypto from Aave, a DeFi protocol like CREAM, motivated by fears the platform could potentially have a similar point of failure to CREAM.