What Happened

Cream Finance (Backtest)

$130M|Smart Contract Exploit|October 27, 2021

Attacker used flash loans to manipulate the price of yUSD (a Yearn vault token used as collateral on Cream), inflating its value to borrow and drain $130M across multiple tokens. This was Cream's third major exploit in 8 months.

What Hindenrank Would Have Said

As of September 1, 2021

D+
Risk Score
63/100

High risk — two major exploits in six months demonstrate a pattern of recurring vulnerabilities, amplified by a uniquely wide attack surface from exotic collateral listings and uncollateralized Iron Bank lending.

Mechanism Novelty3/15
Interaction Severity16/20
Oracle Surface5/10
Documentation Quality6/10
Track Record15/15
Scale Exposure7/10
Regulatory Risk4/10
Protocol Vitality7/10

Grade Predicted This Failure

Flagged by dimensions: Track Record, Interaction Severity, Oracle Surface, Protocol Vitality, Scale Exposure, Documentation Quality

One or more collapse scenarios directly matched the actual failure mode.

Top Risks Identified

  1. 1.Two major exploits within six months (February 2021: $37.5M flash loan attack via Alpha Homora/Iron Bank integration; August 2021: $18.8M AMP token reentrancy exploit) demonstrate a pattern of recurring vulnerabilities on the current production codebase, with different attack vectors each time.
  2. 2.The Iron Bank's zero-collateral protocol-to-protocol lending feature creates systemic cross-protocol contagion risk. Whitelisted protocols can borrow without posting collateral, meaning a single exploited integration partner can drain Iron Bank assets — as demonstrated in the February 2021 Alpha Homora incident.
  3. 3.Cream accepts approximately 70 collateral assets including exotic DeFi tokens, LP tokens, and yield-bearing derivatives. Many of these have thin liquidity, making oracle price manipulation economically feasible and liquidation cascades more likely during market stress.
  4. 4.Flash loan availability combined with exotic collateral acceptance creates a wide attack surface for price manipulation exploits. An attacker can borrow large amounts via flash loan, manipulate the price of an illiquid collateral token, borrow against the inflated collateral, and extract value — a pattern consistent with how prior lending protocol exploits have been executed.

Collapse Scenarios

Third Exploit via Flash Loan Collateral Manipulation

Elevated
Trigger

An attacker discovers a new price manipulation vector for one of Cream's ~70 listed collateral tokens — particularly yield-bearing tokens or LP tokens whose on-chain price can be influenced within a single transaction block. The attacker needs only one exploitable oracle feed or one reentrancy-vulnerable token contract among the 70+ listed assets.

Cascade
1.
Attacker identifies a collateral token listed on Cream with manipulable pricing (e.g., a Yearn vault token, LP token, or ERC-777 token with transfer hooks) and constructs a flash loan attack.The attacker can borrow large amounts of capital at zero cost via Cream's own flash loan facility (0.03% fee) or via Aave/dYdX to fund the manipulation.
2.
Attacker uses flash-borrowed funds to inflate the price of the target collateral token on its underlying AMM or vault, then deposits the token into Cream at the inflated valuation.Cream's oracle reports the manipulated price as the collateral value, allowing the attacker to borrow valuable assets (ETH, USDC, WBTC) far in excess of the collateral's true value.
3.
Attacker borrows maximum value against inflated collateral across multiple Cream markets, draining available liquidity in ETH, stablecoins, and other liquid assets.Multiple Cream lending pools are drained simultaneously. The protocol accumulates massive bad debt that cannot be recovered from the now-worthless inflated collateral.
4.
Flash loan is repaid within the same transaction. The attacker retains the borrowed assets minus the flash loan fee.Cream depositors face immediate loss of funds. The protocol's TVL collapses as remaining depositors rush to withdraw, and CREAM token price crashes as confidence is destroyed for the third time in 8 months.
5.
Protocol attempts to respond but damage is contained in a single atomic transaction. The 9-member multisig cannot react in time to pause markets.Total loss could exceed $100M given Cream's $1.2B TVL. The two prior exploits (Feb $37.5M, Aug $18.8M) establish a pattern of escalating losses as attackers find increasingly sophisticated vectors.
Historical Precedent

This exact pattern occurred twice to Cream Finance itself: (1) February 13, 2021 — Alpha Homora exploited Cream's Iron Bank via flash loans for $37.5M; (2) August 30, 2021 — AMP token reentrancy exploit drained $18.8M via flash loan. The bZx protocol suffered similar repeated flash loan exploits in February 2020. Harvest Finance lost $34M to a similar flash loan oracle manipulation in October 2020.

Iron Bank Credit Contagion via Whitelisted Protocol Failure

Moderate
Trigger

A protocol whitelisted on Cream's Iron Bank for zero-collateral borrowing (e.g., Yearn, Alpha Homora, or a future addition) suffers a governance attack, smart contract exploit, or insolvency that results in inability to repay its Iron Bank credit line. The Iron Bank credit exposure exceeds $50M to any single whitelisted protocol.

Cascade
1.
A whitelisted Iron Bank partner protocol is exploited or suffers a critical failure, rendering it unable to repay its outstanding zero-collateral loans from Cream's Iron Bank.The Iron Bank holds unsecured debt from the failed protocol. Unlike standard Cream loans, there is no collateral to liquidate — the debt is purely credit-based.
2.
Iron Bank depositors realize their funds are at risk from the bad debt. News spreads that the failed protocol cannot repay, and depositors begin withdrawing from Iron Bank markets.Bank run dynamics emerge as depositors race to withdraw before liquidity is exhausted. Interest rates spike as utilization approaches 100%.
3.
Iron Bank liquidity dries up. Remaining depositors are unable to withdraw and effectively bear the losses from the bad debt.The socialized loss destroys trust in Cream's Iron Bank model. Remaining whitelisted partners may also begin unwinding positions, creating further withdrawal pressure.
4.
CREAM token price collapses as the market reprices the protocol's viability. Governance loses the ability to attract and compensate developers.Cream enters a death spiral: declining TVL reduces fee revenue, which reduces development capacity, which increases the risk of further exploits — a pattern already visible after the first two 2021 exploits.
Historical Precedent

The February 2021 exploit was precisely an Iron Bank contagion event: Alpha Homora V2 was exploited, and the attacker used Alpha Homora's whitelisted zero-collateral borrowing privilege to extract $37.5M from Cream's Iron Bank. This scenario posits a repeat with a different partner protocol or attack vector.

Cascading Liquidation Failure Across Exotic Collateral Markets

Moderate
Trigger

A broad DeFi market downturn causes 40%+ price declines across multiple exotic tokens listed as Cream collateral within 48 hours. At least 10 of Cream's ~70 listed collateral tokens simultaneously breach liquidation thresholds.

Cascade
1.
A sharp DeFi market correction drives rapid price declines in small-cap DeFi tokens, LP tokens, and yield-bearing tokens listed as Cream collateral.Dozens of borrowing positions backed by exotic collateral simultaneously become undercollateralized and eligible for liquidation.
2.
Liquidators attempt to liquidate positions but find insufficient on-chain liquidity to sell the exotic collateral tokens. LP tokens may need to be unwound through multiple steps, and some DeFi tokens have less than $1M in DEX liquidity.Liquidations fail or execute at massive slippage. Liquidators avoid unprofitable liquidations, leaving bad debt accumulating across Cream markets.
3.
Bad debt accumulates faster than the protocol can absorb it. Cream has no insurance fund or reserve mechanism proportional to its $1.2B TVL.Depositors in major markets (ETH, USDC, WBTC) face losses as borrowed assets cannot be recovered from illiquid collateral. A bank run begins across all Cream markets.
4.
Cream's response is constrained by governance speed. The 9-member multisig must coordinate to delist assets or adjust parameters, but by the time action is taken, the damage is done.TVL collapses from $1.2B as depositors exit en masse. Protocol may become insolvent if accumulated bad debt exceeds remaining reserves.
Historical Precedent

The March 2020 'Black Thursday' crash caused MakerDAO to accumulate $6M in bad debt when liquidation bots failed during network congestion. Venus Protocol on BSC accumulated $100M+ in bad debt in May 2021 from a manipulated XVS token used as collateral. Both incidents involved liquidation failures during market stress — the same risk amplified by Cream's far wider exotic collateral exposure.

See how today's protocols score

The same 8-dimension rubric applied to 672+ live protocols.

View LeaderboardAll Backtests