According to Cream’s native front-end, most Ethereum-based pools are now empty, with the exception of a $ 40 million CREAM pool. As of October 23, the protocol’s Ethereum markets had $ 300 million in assets.
Cream’s official Twitter account acknowledged the attack in a Tweet:
According to DeFillama, the protocol has an additional locked-in total value of $ 460 million (TVL) on Binance Smart Chain, Polygon, Avalanche and Fantom. It is not known if these funds are also at risk.
The funds appear to have been taken using a flash loan in a particularly complex transaction involving 68 different assets and costing over 9 ETH in gas. Of the $ 260 million lost, the attacker has recouped around $ 130 million in various cryptocurrencies, of which $ 40.6 million may be in illiquid crETH, a staked ETH derivative that may prove difficult to sell for the attacker.
The attacker is now working to ‘wash’ funds primarily using Ren’s Bitcoin bridge. As is often the case with exploits, individuals now use Ethereum transactions to request donations.
A representative for Cream did not respond to a request for comment at press time.
UPDATE (October 27 16:07 UTC): Added TVL information, market size information, and new developments from attacker’s Ethereum address. Removed reference to 3Pool from Curve as a mixer.