Trail of Bits
Trail of Bits
Price Market cap.
Last updated: Dec 05, 2022
C.R.E.A.M. Finance is a decentralized lending protocol providing financial services to its users in a permissionless, non-custodial way. The money markets provided by the company are focused on “longtail assets” with an ultimate goal of increasing the capital efficiency for all supported assets. Through these markets, users can lend assets, and use the provided capital as collateral for borrowing another asset.
The C.R.E.A.M. Protocol is a forked version of Compound Finance. The platform supports stablecoins, interest-bearing stablecoins, DeFi tokens, LP tokens, and other cryptocurrencies. All supported assets can be found here.
The main products offered by the company are lending and borrowing, staking, and liquidity mining. The peer-to-peer lending and borrowing provided by the platform is similar to Compound Finance and other DeFi protocols, however, Cream Finance supports tokens that are less established and under-served by other protocols.
Cream’s v2 launched a product called “Iron Bank”, which acts as the project’s protocol-to-protocol lending platform with zero collateral required to borrow crypto. This feature is, however, only available to whitelisted projects such as Yearn Vaults and Alpha Homora.
Another of the project’s v2 features is “Boosted Savings” which allows users to earn higher APY through automated delegation, consisting of lending interest and shared validator rewards.
Users can also stake CREAM tokens which can have a varying APY, depending on the duration of the staking period, during which tokens are locked and cannot be utilized for trading or voting purposes.
Cream Swap is forked from Balancer and acts as a DEX with an automated market maker working similarly to Balancer and Uniswap. The swap fee on the platform is 0.25% and the company distributes 3000 CREAM tokens daily to CREAM trading pairs, as well as 500 CREAM tokens for other liquidity pools.
The C.R.E.A.M. Finance app has a similar interface to the one Compound Finance uses; however, the protocol aims to target high-potential, high-risk assets. To interact with the protocol’s borrow feature, users need to have in their accounts an amount of funds greater than the amount to be borrowed. If these conditions are met, clients of Cream Finance can borrow a percentage of the total value of the assets they deposit into the platform. This deposit acts as collateral and may be liquidated if its USD value falls below a predetermined threshold. The interest rate is determined by the supply and demand of the underlying asset. The collateral factor (LTV) and reserve factor - a CREAM protocol fee, for each token can be found here.
When using the protocol to exchange cryptocurrencies, a C.R.E.A.M. Finance fee of 0.3% is charged for each swap. As a result of the implemented Balancer’s mechanics, token swaps on Cream Swap happen autonomously and eliminate the need for centralized components like an order book.
C.R.E.A.M. Finance wallet support currently includes MetaMask and Binance Chain Wallet, as well as wallets supported by WalletConnect, and others.
CREAM is an ERC-20 token built on Ethereum and is rewarded to users interacting with the Cream Finance app either by lending and borrowing or by providing liquidity to any of the various protocols on the platform.
The Cream Finance token CREAM used to be the protocol’s governance token, however, after an update following a proposal through the community’s governance platform, the company introduced iceCREAM tokens and gave them the voting power. To receive iceCREAM, users need to lock CREAM for a period of between one week and four years, the token is non-transferable and non-tradeable.
When taking part in liquidity mining through any of the borrow markets, once voted, users’ vote remains directed at pools unless modified. Users can change their votes each week and can allocate their iceCREAM to different pools. Through this token, holders can control the CREAM emission across all Cream Finance markets.
Cream Finance has suffered from various exploits and other security incidents. In February 2021, Alpha Finance’s Alpha Homora V2 was exploited through Cream Finance’s Iron Bank protocol. The malicious event resulted in an approximated loss of $38M, and to this day, it remains one of the largest exploits in DeFi.
The attack was made possible through an exploit in the Alpha Homora V2 sUSD pool, through which the malicious party was able to borrow ETH, DAI, USDC, USDT from the Iron Bank and managed to withdraw these funds through Tornado Cash and a Curve Aave pool.
In March 2021, Cream Finance’s DNS was hijacked due to a compromised hosting provider account controlled by the company’s team. The hijacked DNS redirected users to a phishing page. The team claims this incident didn’t affect users of the protocol and all funds remained safe during the short time they needed to resolve the issue.
On the last day of August 2021, Cream Finance was exploited for 462,079,976 AMP tokens and 2,804.96 ETH tokens. The team describes the incident as two separate ones, a main exploit, and a smaller copycat, whose address had a withdrawal history from Binance. As noted by Cream Finance themselves, this is the first time the company was exploited directly. Later on, with the assistance of PeckShield, it was determined the cause of the exploit was an error in the way Cream Finance integrates AMP into the protocol, the project’s team admitted their fault, and deployed a patch.
In October 2021, Cream Finance’s V1 Ethereum markets were once again exploited with a result of a $130M loss this time. The team distributed 1,453,415 CREAM tokens to all impacted users. The tokens utilized for the incentive were taken from the Treasury and removed the team’s remaining CREAM token allocation at the time, which ended all further CREAM allocations to the team.
Halborn made a review of the incident and described it as two accounts having exploited price calculation errors with flash loan attacks, more precisely MakerDAO and AAVE were targeted to provide DAI and ETH tokens. The maliciously gained DAI were then deposited into Curve’s yPool for yDAI used to mint yUSD, while ETH was used as collateral to borrow more yUSD. All of the yUSD were deposited into Yearn’s yUSD strategy and used to create yUSDVault tokens. Once acquired, the new digital asset was used as collateral on CREAM to mint crYUSD. One of the addresses used in the attack then sent approximately $500M worth of yUSDVault tokens to the first address. This process was repeated multiple times.
In total, the attackers managed to accrue around $1.5B in crYUSD and $500M in yUSDVault, which was then redeemed for yUSD and decreased the total supply of yUSDVault tokens in the vault itself to about $8M. At that point, the attacker deposited about $8M yUSD into the vault and doubled its overall value.
These actions exploited CREAM’s PriceOracleProxy’s algorithm to perceive the value of yUSDVault shares, or ctYUSD, as double, resulting in one of the addresses taking part in the attack being valued at $3B. At that point, the attacker/s drained CREAM’s $130M worth of available assets. Given the amount of collateral possessed by the attackers, the incident could have resulted in far bigger losses, had there been more funds available for lending on the platform.
The Cream Finance team was co-founded by Jeffrey Huang and Leo Cheng. Jeffrey Huang has experience with startup companies and is also the founder of Machi X – a platform for tokenized digital art, again with his partner. Leo Chang has experience in business management and has worked for Applied Materials, Apple, American Express, and Belkin. He is also co-founder of Blockstate which is a company offering token sale advice and general blockchain technology consulting services.
C.R.E.A.M. Finance audits can be found in the protocol dashboard on this webpage.
Among the most interesting partnerships in the CREAM ecosystem is the one with PleasrDAO which resulted in the first DAO-to-DAO on the Cream Finance platform and as claimed by the team, in DeFi in general. The loan was backed by an NFT collection with claims for historical value and provides for a $3.5mm USD credit line from the Iron Bank to PleasrDAO. The combined purchase price of PleasrDAO’s NFTs had a value of $10.1mm USD. The loan is planned to be used for further NFT investments by PleasrDAO.
Recently, Cream Finance also announced a collaboration with Yearn Finance aimed to bring the Iron Bank protocols to the Fantom network. There is also a partnership with Band Protocol which provides Cream Finance with price oracle data for their BSC and Fantom network lending and borrowing markets.
There is no Cream finance roadmap published officially at the time of writing this review.
Aave will integrate Chainlink's Proof-of-Reserve, further increasing the platform’s security
Uniswap's governance proposal accepted