Cream Finance — flash-loan exploit

What happened

On 27 October 2021, Cream Finance — a Yearn-affiliated permissionless lending protocol on Ethereum — was drained of approximately $130 million across multiple assets in a single complex transaction that involved 68 different tokens and cost over 9 ETH in gas. The attacker used flash loans from MakerDAO and Aave to manipulate Cream’s internal price oracle for yUSDVault collateral, then borrowed against the manipulated valuation and walked away with the difference. Funds moved through Tornado Cash; no recovery was achieved.

It was Cream’s third major exploit of 2021, after a February attack ($37 million via the Iron Bank pool) and an August attack ($18 million via the AMP token integration). Cumulative 2021 losses across the three exploits exceeded $190 million. The protocol continued to operate but its total value locked never recovered to pre-October levels.

How it worked

The vulnerability sat in Cream’s PriceOracleProxy for yUSDVault tokens. Yearn Finance’s yUSD vault accepted deposits of yUSD — a Curve-derived synthetic stablecoin — and issued yUSDVault share tokens whose value tracked the vault’s net holdings divided by the share supply. Cream’s oracle calculated this share price by reading the vault’s total assets and the share supply directly from the vault contract, atomically, in the same transaction the user was performing.

The attacker exploited the fact that both inputs to that calculation could be manipulated within a single transaction. Two attacker-controlled accounts took out flash loans: DAI from MakerDAO, ETH from Aave. The DAI was deposited into Curve’s yPool to mint yUSD. The ETH was used as Cream collateral to borrow more yUSD. All of the yUSD was then deposited into Yearn’s yUSD strategy, producing yUSDVault share tokens. Those shares were deposited back into Cream as collateral, minting crYUSD against them. By repeating the borrow-and-redeposit cycle multiple times across the two accounts, the attacker accumulated approximately $1.5 billion in crYUSD and $500 million in yUSDVault shares.

The price-manipulation step came next. The attacker redeemed approximately $500 million of yUSDVault shares for the underlying yUSD, dropping the vault’s share supply to around $8 million. They then re-deposited that $8 million of yUSD into the same vault. The vault now held roughly the same total assets as before but with a far smaller share supply, so Cream’s oracle reported a per-share value approximately twice the previous figure. The attacker’s existing $1.5 billion holding of crYUSD was now valued at $3 billion on Cream’s books.

The remaining steps were mechanical. The attacker used $2 billion of the now-doubled valuation to repay the flash loans. The remaining $1 billion in phantom collateral provided enough headroom to drain $130 million in actual assets — DAI, USDC, ETH, WBTC — from Cream’s other lending pools. Funds moved into Tornado Cash within hours.

The technical character of the flaw is worth being precise about. As Mudit Gupta noted in his post-mortem, this was not strictly a price-manipulation attack in the sense of distorting a market price. The yUSDVault shares actually did double in unit value during the transaction; the arithmetic was correct. The exploitable property was that the doubling happened atomically, inside a single transaction Cream could not interrupt or liquidate. A protocol cannot defend against a collateral asset whose unit value can shift by 100% in one block, because the protocol’s defensive tools — liquidations, oracle reads, position monitoring — all operate at block boundaries or slower. The flaw was Cream’s decision to accept yUSDVault as collateral with a directly-observed-from-vault price oracle, not Yearn’s vault arithmetic.

Timeline

• February 2021 — First Cream Finance exploit. Approximately $37 million drained via flash-loan oracle manipulation against Cream’s Iron Bank pool.
• August 2021 — Second Cream Finance exploit. Approximately $18 million drained in a flash-loan attack against Cream’s AMP token integration.
• 27 October 2021 — Third exploit. $130 million drained in a single transaction. Cream’s CRM token price falls more than 30% within hours.
• 27–28 October 2021 — Funds moved into Tornado Cash. No recovery achieved.
• November 2021 — Cream announces revised oracle architecture. Total value locked never recovers to pre-exploit levels.
• 2022 onward — Protocol continues to operate at a fraction of its 2021 scale. The exploit is widely cited in DeFi security literature as the canonical case for replacing self-referential vault oracles with independent, time-weighted price feeds.

What defenders should learn

The defining property of this attack is that the asset Cream chose to accept as collateral could change its unit value to an arbitrary degree inside a single Ethereum block. That property is not an oracle bug — the oracle returned the correct arithmetic. It is a collateral-eligibility decision. Lending protocols that want to accept synthetic or wrapped assets as collateral are inheriting the volatility profile of the underlying redemption mechanics. If those mechanics allow the share-price calculation to be moved by an attacker who can borrow large positions atomically — and on Ethereum with flash loans, every attacker can — the asset is not appropriate collateral for a permissionless lending protocol regardless of how reliably the oracle reads its state.

The DeFi industry response to this incident accelerated the shift away from spot-price oracles drawn directly from on-chain liquidity pools or vault accounting and toward independent, time-weighted price feeds — Chainlink and similar — that aggregate market prices over windows long enough to dampen single-transaction manipulation. That shift is now standard practice. Any lending protocol launching today that uses a directly-read vault oracle for its collateral pricing is reproducing Cream’s 2021 architecture.

The repeated nature of Cream’s losses is the wider lesson. After the February and August incidents, the protocol added partial mitigations but did not fundamentally re-evaluate the class of collateral it accepted. Each subsequent exploit was a different specific path to the same architectural property: collateral whose price could be moved atomically. A protocol that has been exploited twice on related vectors and continues to deploy against the same architectural assumptions is not addressing the underlying issue. The third exploit was, in retrospect, predictable.