In the DeFi field where security is critical, the agile development popular on the Internet may not be applicable.
Original title: “Cream Finance stolen 37.5 million US dollars, the shortcomings of the rough DeFi development method are beginning to show”
Written by: Twenty-Three Painters
Twitter user josebaredes posted this afternoon that Cream Finance was hacked, and it looks like they have earned 13,000 ETH (which was later verified by multiple parties, which is actually about 37.5 million US dollars). At this time, Yearn founder Andre Cronje and Cream founder Jeffrey Huang were chatting and laughing at ClubHouse.
After the official notice of the incident, Cream Finance issued an emergency tweet saying that we are aware of the potential loopholes and are investigating this. How did this hacker attack work? What reflections did this DeFi attack bring us?
How was Cream Finance attacked?
The Block research analyst @FrankResearcher analyzed on Twitter the process of the theft of approximately $37.5 million in assets from IronBank, a zero-collateralized cross-protocol loan launched by Cream Finance.
The hacker’s specific attack operations are as follows:
- The attacker used Alpha Homora to borrow sUSD from IronBank, and each time the borrowed funds were twice the amount of the previous borrowing.
- The attacker completes the task through two transactions, each time lending funds to IronBank to obtain cySUSD.
- At some point, the attacker obtained a USD 1.8 million USDC lightning loan from Aave v2 and used Curve to exchange USDC for sUSD.
- The attackers lend sUSD to IronBank so that they can continue to obtain cySUSD.
- Some sUSD is used to repay flash loans.
- In addition, a lightning loan of US$10 million was also used to increase the number of cySUSD.
- In the end, the attackers obtained a huge amount of cySUSD, which allowed them to borrow any assets from IronBank.
- The attackers then borrowed 132,000 WETH, 3.6 million USDC, 5.6 million USDT, and 4.2 million DAI.
- The stablecoin has been transferred to Aave v2, then 1000 ETH to IronBank deployers, 1000 ETH to Homora deployers, 220 ETH to Tornado, 100 ETH to Tornado grant, and approximately 11,000 ETH in the attacker’s wallet Address.
Cream’s current investigation progress
After Cream.Finance discovered the loopholes, it first tweeted “IronBank’s asset borrowing has been suspended” and “CREAM v1 funds are safe.” The official deleted both tweets soon.
Then Cream.Finance tweeted again: Investigation of the Cream contract and market has been completed and it is currently operating normally. Both V1 and V2 have been re-enabled. The inspection report will be released later.
After Cream.Finance was attacked by hackers, Alpha Homora V2 was also attacked. Alpha Finance Lab officially handled it urgently, and then tweeted that it had received a notification about the vulnerability of Alpha Homora V2. The official is working with Andre Cronje and Cream.Finance. At the same time, the loopholes have been fixed, the stolen funds are being investigated, and the main suspect has been identified. The official stated that users cannot borrow more funds from Alpha Homora v2, that is, there is no new leveraged position and can only borrow on existing positions. V1 is safe and ready to run. The official is on high alert and will disclose more details afterwards.
The drawbacks and reflections of the rough DeFi development method
Today’s DeFi project has frequent vulnerabilities, showing the problems behind the rapid development of DeFi. Perhaps it is time for DeFi developers to slow down and think about it. After DeFi projects such as Cream.Finance were attacked, Shenyu posted on Weibo that the rough and fast DeFi development method represented by AC (YFI founder Andre Cronje) lacked regression testing, and its drawbacks began to appear. It is worth mentioning that there have been hacking attacks on many projects in the Year ecology. These include Pickle, SushiSwap, Year and today’s Cream.
On February 12, according to the official website of Delaware, in addition to YFI, Grayscale Investment also newly registered SNX (Synthetix), SUSHI (Sushiswap), STX (Blockstack) and COMP (Compound), MKR (MakerDAO) ) Five types of trust fund products are registered on February 10th.
Although Grayscale CEO has stated that a registered trust entity does not mean that it will launch corresponding products, users are requested to invest carefully. However, the market was extremely excited by the news, which prompted these DeFi projects to rise rapidly in the last two days, and the price of YFI once exceeded BTC. However, today’s hacking incidents directly affected market confidence. The DeFi leader led the decline, and the market seemed to calm down a lot.
The development of DeFi is similar to Lego bricks, and its composability and scalability have brought new development space to the blockchain industry; however, if there is a problem with a “building block” in DeFi, it is very easy to cause systemic collapse. This brings irreparable losses to users. The DeFi industry is still very young, and the test of time is still very short. After the hacking incidents occur one after another, it may be time for developers to re-examine the crises and opportunities brought by DeFi to create A decentralized financial system that truly stands the test of time.
Disclaimer: As a blockchain information platform, articles published on this site only represent the author’s personal views, and have nothing to do with ChainNews’ position. The information, opinions, etc. in the article are for reference only, and are not intended as or regarded as actual investment advice.