Cream Finance (Backtest)Micro-cap

Cream Finance (Backtest) receives a D+ risk grade (63/100) from Hindenrank, where lower scores indicate lower risk. High risk — two major exploits in six months demonstrate a pattern of recurring vulnerabilities, amplified by a uniquely wide attack surface from exotic collateral listings and uncollateralized Iron Bank lending. Cream Finance is a Compound V2 fork lending protocol with approximately $1.2B in total value locked as of September 2021, operating across Ethereum, BSC, Polygon, and Fantom. It differentiates itself by listing approximately 70 collateral tokens — far more than peers like Aave or Compound — including exotic DeFi tokens, LP tokens, and yield-bearing derivatives. Its D+ risk grade is driven by two major exploits in six months (February 2021: $37.5M via Iron Bank/Alpha Homora; August 2021: $18.8M via AMP token reentrancy), a novel and untested zero-collateral protocol-to-protocol lending feature (Iron Bank), and an exceptionally wide attack surface from its permissive collateral listing policy.

The key risks identified for Cream Finance (Backtest) are: (1) Cream has suffered two major exploits in 2021 alone — a $37.5M flash loan attack in February exploiting the Iron Bank integration with Alpha Homora, and an $18.8M reentrancy exploit in August via the AMP token's ERC-777 hooks. Each exploit used a different attack vector, suggesting systemic rather than isolated security issues. (2) The Iron Bank allows whitelisted protocols to borrow without posting collateral, creating uncollateralized credit risk. If a partner protocol is exploited or becomes insolvent, the resulting bad debt is directly borne by Cream depositors with no recovery mechanism. (3) Cream lists approximately 70 collateral tokens including small-cap DeFi tokens, LP tokens, and yield-bearing derivatives. Many of these have thin on-chain liquidity, making price manipulation economically feasible and liquidation during market stress potentially impossible. (4) Flash loans are available at the lowest fee in DeFi (0.03%), and combined with exotic collateral, provide attackers a capital-free path to manipulate prices and extract value from the protocol in a single atomic transaction. (5) The protocol's admin keys and 92.5% of CREAM token supply are controlled by a 9-member multisig. While the signers include reputable DeFi figures, this concentration of control creates both a security target and a governance centralization risk.

Cream Finance (Backtest) scores 63/100 across eight risk dimensions: Mechanism Novelty: 3/15, Interaction Severity: 16/20, Oracle Surface: 5/10, Documentation Gaps: 6/10, Track Record: 15/15, Scale Exposure: 7/10, Regulatory Risk: 4/10, Vitality Risk: 7/10. The highest risk area is Track Record at 15/15.

Among 90 rated Lending protocols on Hindenrank, Cream Finance (Backtest) ranks #0 by safety (lowest risk score = safest). Its 63/100 risk score and D+ grade place it among the safer Lending protocols.

Cream Finance (Backtest) scores 15/15 on the Track Record risk dimension, indicating some history of security incidents or exploits. Higher scores reflect more severe or frequent incidents. Review the full risk report for details.