CREAM's PriceOracleProxy priced crYUSDVault collateral by reading yUSDVault.pricePerShare() live, computed as totalAssets / totalSupply of the underlying Yearn vault. The attacker, using flash loans from MakerDAO and AAVE, simultaneously (a) accumulated ~$1.5B in yUSDVault and supplied it to CREAM as collateral, then (b) redeemed ~$500M of yUSDVault from Yearn, collapsing totalSupply to ~$8M, and (c) donated ~$8M of yUSD into the vault. The donation roughly doubled pricePerShare instantaneously because the share count had been deflated. CREAM's oracle re-read the manipulated pricePerShare and re-valued the attacker's existing crYUSD position to ~$3B, unlocking enough borrow capacity to drain ~$130M across all CREAM markets. The vulnerability class is an unbounded, atomically-manipulable spot oracle reading derivative-token share price without TWAP, deposit cap, or sanity bounds.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Classification: Ecosystem. Technique: Flashloan Price Oracle Attack. Target type: DeFi Protocol. Affected chains: Ethereum. Implementation language: Solidity.
- chain
- ethereum
- protocol
- CREAM Lending
- bug_class
- oracle
- date_occurred
- 2021-10-27
- loss_usd
- $130,000,000
- classification
- Ecosystem
- technique
- Flashloan Price Oracle Attack
- target_type
- DeFi Protocol
- language
- Solidity
- source_id
- dl:121