Cream Finance’s Incident Analysis — $yUSD Share Price Manipulation
Starting from Oct-27–2021 01:54:10 PM UTC, Cream Finance was exploited using a flaw in the share price calculation of Yearn Finance’s yUSD contract. In this article, we will describe the technical details of this attack step-by-step.
Related Addresses
- Exploit transaction: https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92
- Attacker’s contract #1: https://etherscan.io/address/0x961d2b694d9097f35cfffa363ef98823928a330d
- Attacker’s contract #2: https://etherscan.io/address/0xf701426b8126bc60530574cecdcb365d47973284
- Yearn Finance’s yUSD contract: https://etherscan.io/address/0x4b5bfd52124784745c1071dcb244c6688d2533d3
- Attacker’s wallet: https://etherscan.io/address/0x24354d31bc9d90f62fe5f2454709c32049cf866b
Key Attack Steps
1. Attacker’s contract #1 flash minted 500M $DAI and then deposited $DAI to get 451,065,927.89 $yDAI
2. Attacker’s contract #1 added liquidity using $yDAI to get yDAI+yUSDC+yUSDT+yTUSD and then deposited to Yearn Finance’s yUSD contract to get 446,756,774.41 $yUSD
3. Attacker’s contract #1 deposited $yUSD to Cream for minting 22,337,774,341.38 $crYUSD
4. Attacker’s contract #2 flash loaned 524,102.159 $wETH from Aave and transferred 6000 $wETH to Attacker’s contract #1
5. Attacker’s contract #2 deposited 518,102.15 $ETH to mint 24,951,862.27 $crETH from Cream $crETH
6. Attacker’s contract #2 borrowed 446,758,198.60 $yUSD from Cream $crYUSD Vault, used $yUSD to mint 22,337,845,550.60 $crYUSD, and transferred $crYUSD to Attacker’s contract #1 twice
7. Attacker’s contract #2 borrowed 446,758,198.60 $yUSD from Cream $crYUSD Vault and transferred $crYUSD to Attacker’s contract #1
8. Attacker’s contract #1 swapped 1,873 $wETH for 7,453,002 $USDC
9. Attacker’s contract #1 swapped 3,726,501 $USDC for 3,383,317 $DUSD
10. Attacker’s contract #1 redeemed 3,383,317 $DUSD for 3,022,172 $yUSD
11. Attacker’s contract #1 used 449,780,371 $yUSD to withdraw 450,228,633 yDAI+yUSDC+yUSDT+yTUSD
12. Attacker’s contract #1 transferred 8,431,514.82 $yDAI+yUSDC+yUSDT+yTUSD in order to $yUSD contract for manipulating the pricePerShare (This is the key step in this attack)
13. Attacker’s contract #1 borrowed 523,208 $ETH
14. Attacker’s contract #1 borrowed the other assets from Cream Finance’s vaults
15. Attacker’s contract #2 returned the 524,573.85 $WETH flash loaned to Aave
16. Attacker’s contract #1 removed liquidity of a 441,630,795.41 $yDAI+yUSDC+yUSDT+yTUSD to get 445,331,495.26 $yDAI
17. Attacker’s contract #1 used 445,331,495.27 $yDAI to withdraw $493,643,465.09 $DAI
18. Attacker’s contract #1 swapped 6,360,562.84 $USDC to 6,356,534.90 $DAI
19. Attacker’s contract #1 returned the 500M $DAI flash minted
Root Cause
This attack is caused by a flaw in the pricePerShare() function of $yUSD contract.
The price is calculated by using the _shareValue() function.
The _shareValue() function uses the value from the _freeFunds() function divided by the total supply of $yUSD contract.
The _freeFunds() function returns the amount of free asset calculated from the total asset subtracted by the locked profit.
The total asset is calculated using the _totalAssets() function, which returns the sum of the token balance and the total debt.
By transferring the $yDAI+yUSDC+yUSDT+yTUSD directly to the $yUSD contract, the attacker was able to increase the total asset, which leads to the inflation of the price per share. With the inflated price per share, the attacker’s collateral value is significantly amplified, allowing the attacker to borrow more assets than the actual collateral value.
Conclusion
In summary, the attacker gained multiple assets which are worth more than $100M.
List of Drained Assets
Transaction #1 (https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92):
- 2,760.219 $Ether
- 12,266 $CRETH2
- 623,760 $xSUSHI
- 135,402 $wNXM
- 447,222 $PERP
- 418,917 $RUNE
- 15,567 $DPI
- 156,629 $UNI
- 4,324,457 $USDC
- 3,817,374 $FEI
- 3,780,808 $USDT
- 747 $yvCurve-stETH
- 6,937 $GNO
- 38,922 $FTX
- 341,681 $YGG
Transaction #2 (https://etherscan.io/tx/0x5189ac29b4d7ed7c1e78423f679f376ac0a2b32158349db84b01677f0608aac8):
- 32.729 $WBTC
- 116,602.960 $SUSHI
- 1,272,378.566 $OCEAN
- 35.070 $YFI
- 20.082 $HBTC
- 23.260 $renBTC
- 611.572 $SLP (DAI-WETH)
- 510,018.968 $BUSD
- 48,361.418 $bBADGE
- 79,792.244 $SWAP
Transaction #3 (https://etherscan.io/tx/0xa43053e945df7a0e407b083a3a1068f11d7e799bbe7dc99e8d8205f5cac2cd68):
- 871.599 $KP3R
- 137,235.688 $FTM
- 11,790.557 $LINK
- 165,940.538 $CRV
- 1,325,841.965 $DAI
- 4,914.341 $HFIL
- 46,893.188 $vVSP
- 2,190.164 $AAVE
- 482,582.887 $yvCurve-IronBank
- 803,779.111 $UST
- 578,182.813 $WOO
- 27,962.138 $BAL
- 782,197.337 $FRAX
Transaction #4 (https://etherscan.io/tx/0x0e560a840eaa749a9b55f1cae4b48d3e03c6f2060d65fbf66414008c29e77c27):
- 109,383.937 $SRM
- 1,067,935.593 $OGN
- 12,804.664 $BNT
- 899.857 $BOND
- 0.980 $ibBTC
- 538,952.213 $HEGIC
- 488.505 $VSP
- 2,821,793.098 $ESD
- 88,956.331 $MANA
- 275.101 $COMP
Transaction #5 (https://etherscan.io/tx/0x426c4ee29c3bc19ecb036cfedbca095c16847f8b688edaab7b1812577a3ab8a0):
- 7,815.941 $OMG
- 76.066 $PICKLE
- 3,203,107.696 $AKRO
- 3,102.996 $SAND
- 1,515,737.117 $ARMOR
- 283,272.628 $MTA
- 64,359.291 $1INCH
- 54,380.2204 $CEL
Transaction #6 (https://etherscan.io/tx/0x59a98612d1fc3c8dc2b404258dfa46083a5635a2775659f8de3db18aec1b326c):
- 194,020.716 $ALPHA
Transaction #7 (https://etherscan.io/tx/0xb9583254ecd4efca21759e6ed5c8314ea918246d02f0f5fca580d7eb24b4e79c):
- 3,085.275 $SLP (SUSHI-WETH)
- 16.600 $SLP (YFI-WETH)
About Inspex
Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.
For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co
