Flash loan attack exploiting a price manipulation vulnerability in Cream's lending protocol drained $130M.
The attacker used two flash loans totaling $1.5B to manipulate the price of yUSD (Yearn's interest-bearing stablecoin), which was used as collateral in Cream. By inflating yUSD's price, they borrowed far more than the actual collateral value, draining the protocol's reserves.
Stolen funds converted and moved through Tornado Cash. Attacker's identity linked to previous Cream hacks. Funds dispersed across multiple wallets. This was Cream's third major hack in 2021, raising serious concerns about protocol security culture.
0x0fe2a0e88f7a9b0c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6