Cream Finance, a lending and borrowing platform similar to Compound and Aave, also faced multiple attacks exploiting flaws in collateral valuation, interest calculations, price oracle dependencies, and liquidation logic.
- Nature of Cream Finance Vulnerabilities:
Many of Cream’s vulnerabilities stemmed from incorrect assumptions or oversights in how collateral and debt were accounted for. Attackers often manipulated collateral prices or exploited flash loans to trick the protocol into believing a position was healthier than it actually was.
- Price Manipulation and Avoiding Liquidation:
One common tactic involved artificially inflating the price of the collateral used by the attacker’s position. If the protocol relied on this inflated price, it would fail to trigger a liquidation, believing the position was still solvent. After the attacker secured their profit and the price returned to normal, the protocol was left undercollateralized, effectively absorbing the losses.
- Logical Flaws in Debt and Interest Calculations:
Some vulnerabilities emerged from incorrect interest and debt calculations. These errors allowed borrowers to take out loans that the system deemed fully backed, but in reality, lacked sufficient collateral. Without accurate liquidation triggers, the protocol could not protect itself against these unbacked loans, resulting in bad debt.
The Cream Finance exploits highlighted the need for robust price oracles, secure flash loan implementations, and consistent health factor validation. Protocols must ensure that their liquidation logic can withstand price manipulation, sudden market changes, and integration complexities. Comprehensive audits, testing of economic assumptions, and strict adherence to best practices can help mitigate these risks.