Is Cream Finance (Backtest) Safe?
Risk Grade: D+ (63/100)
Cream Finance (Backtest) is rated as high risk — extreme novelty, critical interactions, unproven at scale.
High risk — two major exploits in six months demonstrate a pattern of recurring vulnerabilities, amplified by a uniquely wide attack surface from exotic collateral listings and uncollateralized Iron Bank lending.
Cream Finance is a Compound V2 fork lending protocol with approximately $1.2B in total value locked as of September 2021, operating across Ethereum, BSC, Polygon, and Fantom. It differentiates itself by listing approximately 70 collateral tokens — far more than peers like Aave or Compound — including exotic DeFi tokens, LP tokens, and yield-bearing derivatives. Its D+ risk grade is driven by two major exploits in six months (February 2021: $37.5M via Iron Bank/Alpha Homora; August 2021: $18.8M via AMP token reentrancy), a novel and untested zero-collateral protocol-to-protocol lending feature (Iron Bank), and an exceptionally wide attack surface from its permissive collateral listing policy.
TVL
$1.2B
Mechanisms
8
Interactions
8
Value Grade
D
Key Risks for Cream Finance (Backtest) Users
Cream has suffered two major exploits in 2021 alone — a $37.5M flash loan attack in February exploiting the Iron Bank integration with Alpha Homora, and an $18.8M reentrancy exploit in August via the AMP token's ERC-777 hooks. Each exploit used a different attack vector, suggesting systemic rather than isolated security issues.
The Iron Bank allows whitelisted protocols to borrow without posting collateral, creating uncollateralized credit risk. If a partner protocol is exploited or becomes insolvent, the resulting bad debt is directly borne by Cream depositors with no recovery mechanism.
Cream lists approximately 70 collateral tokens including small-cap DeFi tokens, LP tokens, and yield-bearing derivatives. Many of these have thin on-chain liquidity, making price manipulation economically feasible and liquidation during market stress potentially impossible.
Flash loans are available at the lowest fee in DeFi (0.03%), and combined with exotic collateral, provide attackers a capital-free path to manipulate prices and extract value from the protocol in a single atomic transaction.
The protocol's admin keys and 92.5% of CREAM token supply are controlled by a 9-member multisig. While the signers include reputable DeFi figures, this concentration of control creates both a security target and a governance centralization risk.
Top Risk Factors
- •Two major exploits within six months (February 2021: $37.5M flash loan attack via Alpha Homora/Iron Bank integration; August 2021: $18.8M AMP token reentrancy exploit) demonstrate a pattern of recurring vulnerabilities on the current production codebase, with different attack vectors each time.
- •The Iron Bank's zero-collateral protocol-to-protocol lending feature creates systemic cross-protocol contagion risk. Whitelisted protocols can borrow without posting collateral, meaning a single exploited integration partner can drain Iron Bank assets — as demonstrated in the February 2021 Alpha Homora incident.
- •Cream accepts approximately 70 collateral assets including exotic DeFi tokens, LP tokens, and yield-bearing derivatives. Many of these have thin liquidity, making oracle price manipulation economically feasible and liquidation cascades more likely during market stress.
- •Flash loan availability combined with exotic collateral acceptance creates a wide attack surface for price manipulation exploits. An attacker can borrow large amounts via flash loan, manipulate the price of an illiquid collateral token, borrow against the inflated collateral, and extract value — a pattern consistent with how prior lending protocol exploits have been executed.
How Cream Finance (Backtest) Compares to Peers
Cream Finance (Backtest) ranks #95 of 96 Lending protocols (bottom quartile — among the riskiest). At a risk score of 63/100, it's 26 points riskier than the sector average of 37/100.
Adjacent peers: Abracadabra (D+, 62/100) is ranked just safer, and Tapioca (D+, 65/100) is ranked just riskier.
See the full Lending sector leaderboard or the Cream Finance (Backtest) vs Abracadabra comparison.
Common Questions about Cream Finance (Backtest)
Plain-English answers based on Cream Finance (Backtest)'s scores across Hindenrank's 8 risk dimensions. The highest-scoring (riskiest) dimension is Track Record (15/15).
Has Cream Finance (Backtest) ever been hacked or exploited?
Cream Finance (Backtest) has a documented incident history that materially raised its risk grade — the track record dimension scored 15/15, near the high end of the scale. Past exploits, governance failures, or contract issues are baked into this rating. Anyone considering deposits should review the incident details before allocating capital.
How much money is at stake in Cream Finance (Backtest)?
Cream Finance (Backtest) currently holds over $1.2B in user deposits. A protocol of this size typically has deeper liquidity, more eyes on the code, and more attention from auditors — but it also means a single failure has a much larger blast radius.
What's the worst-case scenario for Cream Finance (Backtest)?
Hindenrank has identified specific collapse scenarios for Cream Finance (Backtest). The most prominent: "Third Exploit via Flash Loan Collateral Manipulation". The trigger condition is An attacker discovers a new price manipulation vector for one of Cream's ~70 listed collateral tokens — particularly yield-bearing tokens or LP tokens whose on-chain price can be influenced within a single transaction block. The attacker needs only one exploitable oracle feed or one reentrancy-vulnerable token contract among the 70+ listed assets.. Reading through the full scenario list on the protocol page is the single best way to understand the actual failure modes — generic "smart contract risk" is rarely the thing that takes a protocol down.
Is Cream Finance (Backtest) regulated or insured?
Cream Finance (Backtest) has some regulatory exposure (4/10), typical of mid-sized DeFi protocols. There is no specific enforcement action on record, but the structure includes elements that regulators have flagged in similar protocols. No DeFi protocol carries FDIC-style insurance — even with low regulatory risk, depositors are not protected in the way bank customers are.
What are the biggest red flags for Cream Finance (Backtest)?
Hindenrank's retail-focused risk audit flagged: Cream has suffered two major exploits in 2021 alone — a $37.5M flash loan attack in February exploiting the Iron Bank integration with Alpha Homora, and an $18.8M reentrancy exploit in August via the AMP token's ERC-777 hooks. Each exploit used a different attack vector, suggesting systemic rather than isolated security issues. The Iron Bank allows whitelisted protocols to borrow without posting collateral, creating uncollateralized credit risk. If a partner protocol is exploited or becomes insolvent, the resulting bad debt is directly borne by Cream depositors with no recovery mechanism. Cream lists approximately 70 collateral tokens including small-cap DeFi tokens, LP tokens, and yield-bearing derivatives. Many of these have thin on-chain liquidity, making price manipulation economically feasible and liquidation during market stress potentially impossible. On the technical side, 2 critical-severity interaction risks have been identified.
Should beginners deposit into Cream Finance (Backtest)?
Cream Finance (Backtest) carries a D+ grade — among the riskiest protocols in Hindenrank's coverage. Beginners should not deposit here. Anyone considering a position should understand they may lose everything they put in, and should size accordingly.
How does Cream Finance (Backtest) compare to safer Lending alternatives?
Cream Finance (Backtest) is one protocol in Hindenrank's Lending coverage. The safest Lending protocols on the leaderboard tend to share three traits: a long incident-free track record, conservative mechanism design, and high-quality public documentation. Compare Cream Finance (Backtest) against the full Lending ranking before committing capital.
For the full 8-dimension score breakdown, the radar chart, and dependency graph, see the Cream Finance (Backtest) risk report.
Read the Full Cream Finance (Backtest) Risk Report
This protocol has 3 collapse scenarios. 2 critical and 3 high-severity interaction risks identified. See the full mechanism classification, interaction matrix, and deep-dive recommendations.
View Full Report →Dig deeper
Get risk alerts before it's too late
Weekly grade changes, downgrade alerts, and new protocol risk findings. Free.