How Does Cream Finance (Backtest) Work?
Cream Finance is a Compound V2 fork lending protocol with approximately $1.2B in total value locked as of September 2021, operating across Ethereum, BSC, Polygon, and Fantom. It differentiates itself by listing approximately 70 collateral tokens — far more than peers like Aave or Compound — including exotic DeFi tokens, LP tokens, and yield-bearing derivatives. Its D+ risk grade is driven by two major exploits in six months (February 2021: $37.5M via Iron Bank/Alpha Homora; August 2021: $18.8M via AMP token reentrancy), a novel and untested zero-collateral protocol-to-protocol lending feature (Iron Bank), and an exceptionally wide attack surface from its permissive collateral listing policy.
TVL
$1.2B
Sector
Lending
Risk Grade
D+
Value Grade
D
Core Mechanisms
3.1.1
Compound V2 Fork — Overcollateralized Lending with cTokens
Standard Compound V2 lending market with supply/borrow mechanics and cToken receipt tokens. Fork with minimal core changes to the lending engine.
3.1.3
Jump Rate Interest Rate Model
Standard Compound-style jump rate model adjusting borrow rates based on utilization. Kink parameter determines the utilization threshold for rate acceleration.
3.2.1
Compound-style Liquidation Engine
Standard close-factor liquidation model from Compound V2. Liquidators repay a portion of borrower debt and receive discounted collateral.
3.3.2
Flash Loans (0.03% fee)
Standard flash loan implementation. Lower fee than Aave (0.09%) and Uniswap (0.3%). Covers the widest variety of digital assets on the market including LP tokens.
3.1.1
NovelIron Bank — Zero-Collateral Protocol-to-Protocol Lending
NOVEL: Whitelisted protocols (initially Yearn, Alpha Homora) can borrow from Iron Bank without posting collateral, based on a credit assessment system. No standard precedent for uncollateralized protocol-to-protocol DeFi lending at this scale. This was the root cause vector for the Feb 2021 exploit.
4.1.1
Chainlink Price Oracle with Alpha Finance Fair LP Pricing
Chainlink as primary oracle for standard tokens. Uses Alpha Finance fair LP pricing for Uniswap/SushiSwap LP tokens. No fallback for tokens without Chainlink feeds — relies on custom price feeds.
5.1.1
CREAM Governance Token
Standard governance token for voting on listings, collateral factors, and protocol parameters. 9M max supply with team (10%), seed (10%), and liquidity mining (20%) allocations.
3.1.1
Exotic Collateral Markets (~70 tokens including LP tokens and DeFi derivatives)
Standard lending mechanic but applied to a much wider and more exotic set of collateral than peers. Includes LP tokens (Uniswap, SushiSwap), yield-bearing tokens (yCRV), and small-cap DeFi tokens — many with thin liquidity.
How the Pieces Interact
Zero-collateral protocol lending combined with flash loan availability creates a path for whitelisted protocols to be exploited, enabling attackers to drain Iron Bank funds via a compromised integration. The February 2021 Alpha Homora exploit demonstrated this exact attack path, resulting in $37.5M loss.
Flash loans enable capital-free price manipulation of illiquid exotic collateral tokens. An attacker can flash-borrow to manipulate an illiquid token's price, use inflated collateral to borrow valuable assets from Cream, and extract value in a single atomic transaction. The August 2021 AMP reentrancy exploit used a related vector.
Many exotic tokens listed on Cream lack robust Chainlink price feeds and rely on custom or less battle-tested oracle solutions. Price manipulation of thin-liquidity tokens can be profitable when the oracle cannot accurately reflect true market value, enabling undercollateralized borrowing.
Compound's lending model was designed for a small set of liquid, well-understood tokens. Applying the same collateral factors and liquidation parameters to 70+ tokens including illiquid DeFi derivatives creates a tail risk of cascading liquidation failures when multiple exotic tokens decline simultaneously during market stress.
Liquidators may lack economic incentive to liquidate positions backed by illiquid or exotic tokens, as acquired collateral may be difficult to sell. This could lead to accumulation of bad debt during rapid market declines, as positions become undercollateralized but remain unliquidated.
What Could Go Wrong
- Two major exploits within six months (February 2021: $37.5M flash loan attack via Alpha Homora/Iron Bank integration; August 2021: $18.8M AMP token reentrancy exploit) demonstrate a pattern of recurring vulnerabilities on the current production codebase, with different attack vectors each time.
- The Iron Bank's zero-collateral protocol-to-protocol lending feature creates systemic cross-protocol contagion risk. Whitelisted protocols can borrow without posting collateral, meaning a single exploited integration partner can drain Iron Bank assets — as demonstrated in the February 2021 Alpha Homora incident.
- Cream accepts approximately 70 collateral assets including exotic DeFi tokens, LP tokens, and yield-bearing derivatives. Many of these have thin liquidity, making oracle price manipulation economically feasible and liquidation cascades more likely during market stress.
- Flash loan availability combined with exotic collateral acceptance creates a wide attack surface for price manipulation exploits. An attacker can borrow large amounts via flash loan, manipulate the price of an illiquid collateral token, borrow against the inflated collateral, and extract value — a pattern consistent with how prior lending protocol exploits have been executed.
Third Exploit via Flash Loan Collateral Manipulation
ElevatedTrigger: An attacker discovers a new price manipulation vector for one of Cream's ~70 listed collateral tokens — particularly yield-bearing tokens or LP tokens whose on-chain price can be influenced within a single transaction block. The attacker needs only one exploitable oracle feed or one reentrancy-vulnerable token contract among the 70+ listed assets.
- 1.Attacker identifies a collateral token listed on Cream with manipulable pricing (e.g., a Yearn vault token, LP token, or ERC-777 token with transfer hooks) and constructs a flash loan attack. — The attacker can borrow large amounts of capital at zero cost via Cream's own flash loan facility (0.03% fee) or via Aave/dYdX to fund the manipulation.
- 2.Attacker uses flash-borrowed funds to inflate the price of the target collateral token on its underlying AMM or vault, then deposits the token into Cream at the inflated valuation. — Cream's oracle reports the manipulated price as the collateral value, allowing the attacker to borrow valuable assets (ETH, USDC, WBTC) far in excess of the collateral's true value.
- 3.Attacker borrows maximum value against inflated collateral across multiple Cream markets, draining available liquidity in ETH, stablecoins, and other liquid assets. — Multiple Cream lending pools are drained simultaneously. The protocol accumulates massive bad debt that cannot be recovered from the now-worthless inflated collateral.
- 4.Flash loan is repaid within the same transaction. The attacker retains the borrowed assets minus the flash loan fee. — Cream depositors face immediate loss of funds. The protocol's TVL collapses as remaining depositors rush to withdraw, and CREAM token price crashes as confidence is destroyed for the third time in 8 months.
- 5.Protocol attempts to respond but damage is contained in a single atomic transaction. The 9-member multisig cannot react in time to pause markets. — Total loss could exceed $100M given Cream's $1.2B TVL. The two prior exploits (Feb $37.5M, Aug $18.8M) establish a pattern of escalating losses as attackers find increasingly sophisticated vectors.
Risk Profile at a Glance
Overall: D+ (63/100)
Lower score = safer