Bug bounties and contract audits are providing ineffective platform security as Cream Finance is forced to offer a 10% reward to the attacker who exploited its smart contract and stole $130 million worth of tokens.
In the October 27th exploit of a ‘Flash Loan’ against Taiwan based Cream Finance, the company says an attacker flash borrowed DAI from MakerDAO to create a large amount of yUSD tokens, while simultaneously exploiting the price oracle calculation for the yUSD price through the manipulation of the multi-asset liquidity pool.
The hacker was ultimately able to drain the liquidity from Cream’s Ethereum wallets, making off with over 60 different assets valued at around $130 million. Cream says the entire exploit all took place in a single transaction. Since the attack, Cream has suspended all its Ethereum v1 markets.
Cream Finance has a long history of major hacks – many occurring just this year. In February the DeFi platform lost $37 million, and it was hit again in August – losing $29 million in another smart contract exploit.
Smart contract attacks a legal grey area
Cream has stated in its Twitter feed that it is “working with authorities to trace the attacker.” In reality, though, as has been evidenced in multiple earlier DeFi attacks, there is little that law enforcement can do. One reason for this is that it is arguable that exploitations of smart contracts are not crimes at all.
In this case, for example, the person who made off with the funds has simply worked within the code of Cream’s smart contracts to create a profitable scenario. They have then exploited that profitable scenario to the financial detriment of other contract holders on the Cream Finance platform. The code permitted them to do so.
From a legal perspective, this is quite unlike a real-world robbery, or an exchange hack, and it’s unlikely anyone who profits in this way from manipulating smart contracts to their advantage will ever face legal repercussions.
Smart contract audits offer little protection
The latest Cream Finance contract exploitation once again shines a light on just how vulnerable DeFi platforms are to contract manipulation–and on how ineffectual the supposed security buffer of independent smart contract ‘audits’ has been in protecting user funds.
In Cream’s case, it was last audited by Trail of Bits on January 28th this year. In its report summary Trail of Bits notes that the amount of time allowed for the audit was very short – only two days. Given the reduced time available, Trail of Bits says it focused on flaws that would permit an attacker to;
- Manipulate asset prices returned by the price oracles.
- Subvert the imposed caps on borrowing or supplying.
- Bypass access controls to modify contract state.
In its January audit report of Cream Finance, Trail of Bits identified three issues “ranging from medium to informational in severity.” The company says the medium-severity issue related to how the Cream price oracle was a single point of failure for the system. The auditors provided recommendations on how to address these issues.
It is unknown if these recommendations were acted on, but as noted above, Cream Finance has suffered three major contract exploit incidents since the Trail of Bits audit was completed.
And they’re not the only ones. In March Haechi Audit announced it had completed a smart contract audit of Pancake Bunny and found zero critical issues, zero major issues – and only two minor issues. Pancake Bunny was subsequently attacked in May and lost $45 million to a smart contract exploit.
Similarly, in November 2020 Value Defi released a long list of audits of its smart contracts that had been completed by The Arcadia Group, PeckShield and Pessimistic, only to lose $6 million in a flash loan exploit just days later.
Clearly, the current system of third-party smart contract audits and bug bounty programs is not up to the task of protecting the decentralized finance sector.
Cream Finance says it is “working to repay lost funds” and will release details of a repayment plan to make impacted parties whole again in “coming days.” For now, though, the best the platform has been able to do is appeal to the perpetrator’s better nature and ask them to give the money back – for a $13 million fee.
“We encourage the attacker to reach out and begin a dialogue for the return of our users’ funds. They are impacting everyday users of DeFi and we would like them to do the right thing. We will honor a bug bounty of 10% upon return of funds.”