Decentralized finance (DeFi) money market and lending service C.R.E.A.M. Finance appears to have been the target of a devastating exploit Wednesday morning that drained over $1 billion in funds, likely the largest DeFi exploit to date.
According to CREAM’s native frontend, most Ethereum-based pools are now empty. Per DeFillama, the protocol previously had $1.06 billion in total value locked (TVL).
The protocol has an additional $460 million in TVL across Binance Smart Chain, Polygon, Avalanche, and Fantom. It is unclear if those funds are also at risk.
The funds appear to have been taken using a flash loan in a notably complex transaction that involved 68 different assets and cost over 9 ETH in gas.
At the time of writing the attacker’s contract holds $92 million in various crypto assets, and the contract creator’s address holds $22 million. The attacker has since consolidated those funds from the flash loan contract address to the contract creator’s address.
The attacker is now using various privacy-preserving mixing services, such as Curve’s 3pool, to ‘wash’ the funds. As is often the case following exploits, individuals are now using Ethereum transactions to ask for donations.
A CREAM representative did not respond to a request for comment by press time.
UPDATE: Added TVL information and new developments from attacker’s Ethereum address.