Cream Finance’s Incident Analysis — $yUSD Share Price Manipulation

Starting from Oct-27–2021 01:54:10 PM UTC, Cream Finance was exploited using a flaw in the share price calculation of Yearn Finance’s yUSD contract. In this article, we will describe the technical details of this attack step-by-step.

Related Addresses

Key Attack Steps

1. Attacker’s contract #1 flash minted 500M $DAI and then deposited $DAI to get 451,065,927.89 $yDAI

2. Attacker’s contract #1 added liquidity using $yDAI to get yDAI+yUSDC+yUSDT+yTUSD and then deposited to Yearn Finance’s yUSD contract to get 446,756,774.41 $yUSD

3. Attacker’s contract #1 deposited $yUSD to Cream for minting 22,337,774,341.38 $crYUSD

4. Attacker’s contract #2 flash loaned 524,102.159 $wETH from Aave and transferred 6000 $wETH to Attacker’s contract #1

5. Attacker’s contract #2 deposited 518,102.15 $ETH to mint 24,951,862.27 $crETH from Cream $crETH

6. Attacker’s contract #2 borrowed 446,758,198.60 $yUSD from Cream $crYUSD Vault, used $yUSD to mint 22,337,845,550.60 $crYUSD, and transferred $crYUSD to Attacker’s contract #1 twice

7. Attacker’s contract #2 borrowed 446,758,198.60 $yUSD from Cream $crYUSD Vault and transferred $crYUSD to Attacker’s contract #1

8. Attacker’s contract #1 swapped 1,873 $wETH for 7,453,002 $USDC

9. Attacker’s contract #1 swapped 3,726,501 $USDC for 3,383,317 $DUSD

10. Attacker’s contract #1 redeemed 3,383,317 $DUSD for 3,022,172 $yUSD

11. Attacker’s contract #1 used 449,780,371 $yUSD to withdraw 450,228,633 yDAI+yUSDC+yUSDT+yTUSD

12. Attacker’s contract #1 transferred 8,431,514.82 $yDAI+yUSDC+yUSDT+yTUSD in order to $yUSD contract for manipulating the pricePerShare (This is the key step in this attack)

13. Attacker’s contract #1 borrowed 523,208 $ETH

14. Attacker’s contract #1 borrowed the other assets from Cream Finance’s vaults

15. Attacker’s contract #2 returned the 524,573.85 $WETH flash loaned to Aave

16. Attacker’s contract #1 removed liquidity of a 441,630,795.41 $yDAI+yUSDC+yUSDT+yTUSD to get 445,331,495.26 $yDAI

17. Attacker’s contract #1 used 445,331,495.27 $yDAI to withdraw $493,643,465.09 $DAI

18. Attacker’s contract #1 swapped 6,360,562.84 $USDC to 6,356,534.90 $DAI

19. Attacker’s contract #1 returned the 500M $DAI flash minted

Root Cause

This attack is caused by a flaw in the pricePerShare() function of $yUSD contract.

The price is calculated by using the _shareValue() function.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L1139-L1147

The _shareValue() function uses the value from the _freeFunds() function divided by the total supply of $yUSD contract.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L916-L930

The _freeFunds() function returns the amount of free asset calculated from the total asset subtracted by the locked profit.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L821-L824

The total asset is calculated using the _totalAssets() function, which returns the sum of the token balance and the total debt.

https://github.com/yearn/yearn-vaults/blob/a113064afd59ecac6ae4f8ed9bfe0d0d00c727a3/contracts/Vault.vy#L786-L790

By transferring the $yDAI+yUSDC+yUSDT+yTUSD directly to the $yUSD contract, the attacker was able to increase the total asset, which leads to the inflation of the price per share. With the inflated price per share, the attacker’s collateral value is significantly amplified, allowing the attacker to borrow more assets than the actual collateral value.

Conclusion

In summary, the attacker gained multiple assets which are worth more than $100M.

List of Drained Assets

Transaction #1 (https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92):

  • 2,760.219 $Ether
  • 12,266 $CRETH2
  • 623,760 $xSUSHI
  • 135,402 $wNXM
  • 447,222 $PERP
  • 418,917 $RUNE
  • 15,567 $DPI
  • 156,629 $UNI
  • 4,324,457 $USDC
  • 3,817,374 $FEI
  • 3,780,808 $USDT
  • 747 $yvCurve-stETH
  • 6,937 $GNO
  • 38,922 $FTX
  • 341,681 $YGG

Transaction #2 (https://etherscan.io/tx/0x5189ac29b4d7ed7c1e78423f679f376ac0a2b32158349db84b01677f0608aac8):

  • 32.729 $WBTC
  • 116,602.960 $SUSHI
  • 1,272,378.566 $OCEAN
  • 35.070 $YFI
  • 20.082 $HBTC
  • 23.260 $renBTC
  • 611.572 $SLP (DAI-WETH)
  • 510,018.968 $BUSD
  • 48,361.418 $bBADGE
  • 79,792.244 $SWAP

Transaction #3 (https://etherscan.io/tx/0xa43053e945df7a0e407b083a3a1068f11d7e799bbe7dc99e8d8205f5cac2cd68):

  • 871.599 $KP3R
  • 137,235.688 $FTM
  • 11,790.557 $LINK
  • 165,940.538 $CRV
  • 1,325,841.965 $DAI
  • 4,914.341 $HFIL
  • 46,893.188 $vVSP
  • 2,190.164 $AAVE
  • 482,582.887 $yvCurve-IronBank
  • 803,779.111 $UST
  • 578,182.813 $WOO
  • 27,962.138 $BAL
  • 782,197.337 $FRAX

Transaction #4 (https://etherscan.io/tx/0x0e560a840eaa749a9b55f1cae4b48d3e03c6f2060d65fbf66414008c29e77c27):

  • 109,383.937 $SRM
  • 1,067,935.593 $OGN
  • 12,804.664 $BNT
  • 899.857 $BOND
  • 0.980 $ibBTC
  • 538,952.213 $HEGIC
  • 488.505 $VSP
  • 2,821,793.098 $ESD
  • 88,956.331 $MANA
  • 275.101 $COMP

Transaction #5 (https://etherscan.io/tx/0x426c4ee29c3bc19ecb036cfedbca095c16847f8b688edaab7b1812577a3ab8a0):

  • 7,815.941 $OMG
  • 76.066 $PICKLE
  • 3,203,107.696 $AKRO
  • 3,102.996 $SAND
  • 1,515,737.117 $ARMOR
  • 283,272.628 $MTA
  • 64,359.291 $1INCH
  • 54,380.2204 $CEL

Transaction #6 (https://etherscan.io/tx/0x59a98612d1fc3c8dc2b404258dfa46083a5635a2775659f8de3db18aec1b326c):

  • 194,020.716 $ALPHA

Transaction #7 (https://etherscan.io/tx/0xb9583254ecd4efca21759e6ed5c8314ea918246d02f0f5fca580d7eb24b4e79c):

  • 3,085.275 $SLP (SUSHI-WETH)
  • 16.600 $SLP (YFI-WETH)

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

--

--

--

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

dToken & Vault Beta Test

How to prevent IDOR attacks by using AOP on Java

Webroot Software Antivirus

{UPDATE} Dinossauro Matemática Aprendizagem Jogo Livre Hack Free Resources Generator

Web3 Wallets Have Serious Privacy and Security Flaws

Reentrancy Attack on Cream Finance — Incident Analysis

Bans on WeChat and TikTok Lead to SkyVPN’s Rapid Traffic Growth

AMA预告 | 赛博世界&河里人茶话会

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inspex

Inspex

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

More from Medium

Attacked 40 Times and Lost Around $1.7 Million: An analysis of Paraluni’s Exploit

Knownsec Blockchain Lab | meter.io attack analysis

Smart State performs the security audit of digital assets investment platform Algoblocks

RQBERT Attack Report & Compensation Plan