Cream Finance’s Incident Analysis — $yUSD Share Price Manipulation

Starting from Oct-27–2021 01:54:10 PM UTC, Cream Finance was exploited using a flaw in the share price calculation of Yearn Finance’s yUSD contract. In this article, we will describe the technical details of this attack step-by-step.

Related Addresses

Key Attack Steps

1. Attacker’s contract #1 flash minted 500M $DAI and then deposited $DAI to get 451,065,927.89 $yDAI

2. Attacker’s contract #1 added liquidity using $yDAI to get yDAI+yUSDC+yUSDT+yTUSD and then deposited to Yearn Finance’s yUSD contract to get 446,756,774.41 $yUSD

3. Attacker’s contract #1 deposited $yUSD to Cream for minting 22,337,774,341.38 $crYUSD

4. Attacker’s contract #2 flash loaned 524,102.159 $wETH from Aave and transferred 6000 $wETH to Attacker’s contract #1

5. Attacker’s contract #2 deposited 518,102.15 $ETH to mint 24,951,862.27 $crETH from Cream $crETH

6. Attacker’s contract #2 borrowed 446,758,198.60 $yUSD from Cream $crYUSD Vault, used $yUSD to mint 22,337,845,550.60 $crYUSD, and transferred $crYUSD to Attacker’s contract #1 twice

7. Attacker’s contract #2 borrowed 446,758,198.60 $yUSD from Cream $crYUSD Vault and transferred $crYUSD to Attacker’s contract #1

8. Attacker’s contract #1 swapped 1,873 $wETH for 7,453,002 $USDC

9. Attacker’s contract #1 swapped 3,726,501 $USDC for 3,383,317 $DUSD

10. Attacker’s contract #1 redeemed 3,383,317 $DUSD for 3,022,172 $yUSD

11. Attacker’s contract #1 used 449,780,371 $yUSD to withdraw 450,228,633 yDAI+yUSDC+yUSDT+yTUSD

12. Attacker’s contract #1 transferred 8,431,514.82 $yDAI+yUSDC+yUSDT+yTUSD in order to $yUSD contract for manipulating the pricePerShare (This is the key step in this attack)

13. Attacker’s contract #1 borrowed 523,208 $ETH

14. Attacker’s contract #1 borrowed the other assets from Cream Finance’s vaults

15. Attacker’s contract #2 returned the 524,573.85 $WETH flash loaned to Aave

16. Attacker’s contract #1 removed liquidity of a 441,630,795.41 $yDAI+yUSDC+yUSDT+yTUSD to get 445,331,495.26 $yDAI

17. Attacker’s contract #1 used 445,331,495.27 $yDAI to withdraw $493,643,465.09 $DAI

18. Attacker’s contract #1 swapped 6,360,562.84 $USDC to 6,356,534.90 $DAI

19. Attacker’s contract #1 returned the 500M $DAI flash minted

Root Cause

This attack is caused by a flaw in the pricePerShare() function of $yUSD contract.

The price is calculated by using the _shareValue() function.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L1139-L1147

The _shareValue() function uses the value from the _freeFunds() function divided by the total supply of $yUSD contract.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L916-L930

The _freeFunds() function returns the amount of free asset calculated from the total asset subtracted by the locked profit.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L821-L824

The total asset is calculated using the _totalAssets() function, which returns the sum of the token balance and the total debt.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L786-L790

By transferring the $yDAI+yUSDC+yUSDT+yTUSD directly to the $yUSD contract, the attacker was able to increase the total asset, which leads to the inflation of the price per share. With the inflated price per share, the attacker’s collateral value is significantly amplified, allowing the attacker to borrow more assets than the actual collateral value.

Conclusion

In summary, the attacker gained multiple assets which are worth more than $100M.

List of Drained Assets

Transaction #1 (https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92):

  • 2,760.219 $Ether
  • 12,266 $CRETH2
  • 623,760 $xSUSHI
  • 135,402 $wNXM
  • 447,222 $PERP
  • 418,917 $RUNE
  • 15,567 $DPI
  • 156,629 $UNI
  • 4,324,457 $USDC
  • 3,817,374 $FEI
  • 3,780,808 $USDT
  • 747 $yvCurve-stETH
  • 6,937 $GNO
  • 38,922 $FTX
  • 341,681 $YGG

Transaction #2 (https://etherscan.io/tx/0x5189ac29b4d7ed7c1e78423f679f376ac0a2b32158349db84b01677f0608aac8):

  • 32.729 $WBTC
  • 116,602.960 $SUSHI
  • 1,272,378.566 $OCEAN
  • 35.070 $YFI
  • 20.082 $HBTC
  • 23.260 $renBTC
  • 611.572 $SLP (DAI-WETH)
  • 510,018.968 $BUSD
  • 48,361.418 $bBADGE
  • 79,792.244 $SWAP

Transaction #3 (https://etherscan.io/tx/0xa43053e945df7a0e407b083a3a1068f11d7e799bbe7dc99e8d8205f5cac2cd68):

  • 871.599 $KP3R
  • 137,235.688 $FTM
  • 11,790.557 $LINK
  • 165,940.538 $CRV
  • 1,325,841.965 $DAI
  • 4,914.341 $HFIL
  • 46,893.188 $vVSP
  • 2,190.164 $AAVE
  • 482,582.887 $yvCurve-IronBank
  • 803,779.111 $UST
  • 578,182.813 $WOO
  • 27,962.138 $BAL
  • 782,197.337 $FRAX

Transaction #4 (https://etherscan.io/tx/0x0e560a840eaa749a9b55f1cae4b48d3e03c6f2060d65fbf66414008c29e77c27):

  • 109,383.937 $SRM
  • 1,067,935.593 $OGN
  • 12,804.664 $BNT
  • 899.857 $BOND
  • 0.980 $ibBTC
  • 538,952.213 $HEGIC
  • 488.505 $VSP
  • 2,821,793.098 $ESD
  • 88,956.331 $MANA
  • 275.101 $COMP

Transaction #5 (https://etherscan.io/tx/0x426c4ee29c3bc19ecb036cfedbca095c16847f8b688edaab7b1812577a3ab8a0):

  • 7,815.941 $OMG
  • 76.066 $PICKLE
  • 3,203,107.696 $AKRO
  • 3,102.996 $SAND
  • 1,515,737.117 $ARMOR
  • 283,272.628 $MTA
  • 64,359.291 $1INCH
  • 54,380.2204 $CEL

Transaction #6 (https://etherscan.io/tx/0x59a98612d1fc3c8dc2b404258dfa46083a5635a2775659f8de3db18aec1b326c):

  • 194,020.716 $ALPHA

Transaction #7 (https://etherscan.io/tx/0xb9583254ecd4efca21759e6ed5c8314ea918246d02f0f5fca580d7eb24b4e79c):

  • 3,085.275 $SLP (SUSHI-WETH)
  • 16.600 $SLP (YFI-WETH)

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo