Cream Finance Insufficient Validation Bug Fix Postmortem

Summary

Azeem, Co-Founder of DeFi protocol Armor, became aware of a vulnerability in Cream Finance circulating in the wild and promptly reported it to Immunefi on June 13. The vulnerability was rated as “critical” because it allowed a malicious user to drain Cream’s liquidity mining rewards contract of approximately $100,000 in CREAM tokens, even though it had been discontinued and was not issuing new rewards. Cream Finance has awarded Azeem with a bounty of 135 CREAM, which was 20% of the contract’s TVL at the time of the report. The current market rate of that bounty comes out to $20,750. Although the vulnerability had been exploited for a minor amount, it does not appear as though any malicious users exploited the contract for a significant profit in an automated fashion.

Vulnerability Analysis

Cream Finance formerly had a liquidity mining rewards contract that they recently discontinued prior to the reporting of the vulnerability. The liquidity program allowed users to accrue CREAM tokens as mining rewards for depositing or borrowing using the protocol.

Although the contract was not issuing new rewards, it still was issuing rewards in response to users who had participated in their liquidity mining program prior to its discontinuation. However, the contract had a vulnerability, which consisted of a failure to validate whether a given user making a rewards claim had participated in their liquidity mining program from the appropriate time. In other words, using the front end of the Cream Finance interface, a malicious user could claim rewards as if they had been participating in the liquidity mining program from the beginning. No unit test existed to prevent this from happening.

The step by step method to exploit the vulnerability was as follows:

Deposit CRV in Cream Finance in new interfaceNavigate to Classic.cream.finance/rewards to earn an instant mint of 6% APY up front in CREAM tokens. This only worked with CRV and only worked once per walletSwap CRV to ETHSend to new walletSwap back to CRVRepeat exploit to obtain another instant 6% APY minted up front in CREAM rewards using the same CRV in step 1. This process could have been repeated until the contract was fully drained.

Vulnerability Fix

Cream Finance issued a fix to the Comptroller contract on June 14, the day after the vulnerability was reported.

if (compSupplierIndex[cToken][supplier] == 0) {
return;
}

And:

if (compBorrowerIndex[cToken][borrower] == 0) {
return;
}

Acknowledgements

We’d like to thank the Cream Finance team for paying out a bounty to the whitehat that was 20% of contract TVL. To report additional vulnerabilities, please see Cream Finance’s bug bounty program with Immunefi. If you’re interested in protecting your project with a bug bounty like Cream Finance, visit the Immunefi services page and fill out the form.