Cream Finance — flash-loan exploit

On 27 October 2021 Cream Finance, a Yearn-affiliated lending protocol, suffered its third major exploit of the year, this one draining approximately $130 million across multiple assets. The attacker used flash-loaned yUSDVault tokens to manipulate the price oracle Cream used to value collateral, allowing them to borrow far more against the manipulated valuation than the underlying assets justified. The technique was a refinement of the same flash-loan price-oracle pattern that had hit Cream itself in February 2021 ($37 million) and August 2021 ($18 million), each time exploiting a slightly different oracle path.

The 2021 cumulative loss across Cream’s three exploits exceeded $190 million. The protocol has continued to operate but at a fraction of its 2021 total-value-locked. Cream’s repeated victimisation made the protocol the canonical case study for “this is what happens when you keep deploying contracts faster than you can audit them” and accelerated the industry shift toward Chainlink-style independent oracles for collateral pricing rather than spot-price oracles drawn directly from on-chain liquidity pools.