Cream Finance

Cream Finance is a multi-chain decentralized lending protocol (Compound V2 fork) that expanded to support a wide range of whitelisted assets as collateral — including LP tokens and yield-bearing tokens — and served as a critical piece of the Yearn Finance ecosystem via its Iron Bank (permissioned under-collateralized lending facility), before suffering three major exploits totaling over $190 million that largely ended its operational relevance.

Overview

Cream Finance launched in August 2020 on Ethereum as a Compound Finance fork offering a wider asset whitelisting policy: where Compound and Aave listed only blue-chip assets, Cream aggressively onboarded new tokens (DeFi governance tokens, LP tokens, yield tokens) to serve the long-tail DeFi market.

This permissive policy attracted TVL — but also created concentrated risk in less-liquid collateral assets that proved catastrophic in the 2021-2022 exploit cycle.

Protocol Architecture

The protocol is built around the following components.

Core Lending (Compound Fork)

Cream uses Compound V2’s cToken model:

Deposit: supply asset → receive crToken (e.g., supply ETH → receive crETH)
crToken: represents deposit claim; appreciates vs underlying as interest accrues
Borrow: deposit collateral → borrow other assets up to collateral factor
Liquidation: if account health < 1 → any address can liquidate (up to 50% of position); liquidator receives collateral at 5-10% discount (incentive)
Interest rate model: utilization-based kinked curves (low utilization = low borrow rate; high utilization = steep rate)

Asset Policy

Cream’s key differentiator: broad asset support:

Standard: ETH, WBTC, USDC, USDT, DAI
DeFi governance tokens: COMP, AAVE, YFI, CRV, MKR, LINK
LP tokens as collateral: SushiSwap LP tokens, Uniswap V2 LP tokens (collateralizable)
Yield tokens: yvDAI, yvUSDC (Yearn vault tokens), cDAI (Compound cTokens)
Long-tail: many smaller governance tokens that Aave/Compound refused to list

Risk implication: LP tokens and small-cap tokens have price oracle challenges and liquidity constraints → exploitable.

Iron Bank (B.Protocol Integration)

Iron Bank: Cream’s permissioned under-collateralized lending protocol:

For whitelisted protocols only (not retail users): Yearn Finance, Alpha Finance, others
Yearn-Cream relationship: Yearn designated Cream as its official lending partner; Cream deployed special market for Yearn protocols
Under-collateralized: Iron Bank protocols borrow without 100%+ collateral (protocol-level creditlines)
Risk: if Iron Bank borrower defaults → Cream protocol takes loss
Alpha Finance exploit (Feb 2021): Iron Bank alpha.finance borrowing used in $37.5M exploit (attacker borrowed via Alpha → flash loan leveraged → drained Alpha’s pool → Cream’s Iron Bank also impacted)

Major Exploits

The following sections cover this in detail.

Exploit 1: February 2021 — Alpha Finance / Iron Bank ($37.5M)

Vector: Alpha Finance Iron Bank under-collateralized borrow + flash loan
Mechanism: attacker found vulnerability in Alpha Finance’s HomoraV2 contract; borrowed from Cream’s Iron Bank via Alpha Finance credit line; exploited HomoraV2’s accounting → drained $37.5M from both Alpha and Cream
Loss to Cream: $37.5M (Iron Bank credit losses absorbed by Cream protocol)
Impact: first major Cream loss; protocols reviewing Iron Bank credit line risk

Exploit 2: August 2021 — Flash Loan Sandwich ($18.8M)

Vector: flash loan + price manipulation of AMP token
Mechanism: attacker took flash loan → deposited AMP (reentrancy vulnerability in AMP ERC-777 token) → borrowed ETH/USDC → simultaneously re-entered AMP deposit (AMP’s transferFrom called attacker’s hook mid-execution) → doubled the collateral count → escaped with unbacked borrowing
Loss: $18.8M
Contract issue: Cream did not properly guard against ERC-777 token reentrancy in AMP (a known pattern but not mitigated)

Exploit 3: October 2021 — Flash Loan Oracle ($130M)

Vector: flash loan + yUSD price oracle manipulation
Mechanism: complex multi-step attack

Attacker borrowed $500M+ in flash loans across protocols
Used borrowed assets to manipulate yUSD (Yearn vault token) price oracle on Cream (oracle: Cream’s own price feed based on Cream pool state)
With inflated yUSD oracle price: deposited yUSD as collateral → borrowed 100s of millions in undercollateralized loans
Exited: repaid flash loans, kept borrowed funds → $130M profit

Loss: $130M — largest single DeFi Oracle exploit to that point
Root cause: Cream used internal pool state for yUSD pricing rather than external oracle → pool manipulation = price manipulation

Combined Impact

Total losses: ~$186M across three exploits in 2021.

TVL impact: $1B+ TVL (2021 peak) → <$20M by 2022
CREAM token: $400 peak → <$10 by 2022
Protocol status: effectively non-operational for new users; legacy markets remained open for existing depositors

CREAM Token

Max supply: 9,000,000 CREAM
Distribution: liquidity mining (to lenders and borrowers), team, pre-sale investors
Governance: CREAM holders vote on new asset listings, protocol risk parameters, treasury allocation
No staking reward mechanism (unlike COMP or AAVE safety module) — governance-only

Relationship to Yearn Finance

Cream Finance was part of the original “DeFi Blue Chip” consortium:

Yearn designated Cream as official lending partner (2020)
Iron Bank: Cream/Yearn co-developed permissioned credit facility
Re-branding: eventually Cream’s “Iron Bank” was spun out as an independent protocol (IB/Iron Bank) post-Cream decline
Yearn: maintained Iron Bank independently; Cream: focus moved to smaller chain deployments

Sources

Cream Finance Documentation — Cream Finance Team, 2020–2022. Technical documentation covering protocol architecture (Cream: Compound V2 fork with modified asset listing (permissive, broader assets); crToken mechanics: identical to Compound cToken (ERC-20 receipt, exchange rate: crToken/underlying increases as interest accrues; interestAccrued = borrowBalance × interestRate × timeSinceLastAccrual; comptroller: tracks all markets, interest rates, collateral factors, liquidation incentives; collateral factor: per-asset (ETH: 80%, BTC: 75%, DeFi governance: 50-65%, LP tokens: 40-55%); liquidation: if AccountHealth = ΣCollateral×CF / ΣBorrowed < 1 → liquidatable; liquidation bonus: 8% (liquidator receives 108% of repaid debt value in collateral)); Iron Bank architecture (Iron Bank: separate Cream deployment with credit line registry; creditLine[protocol] = max_borrow_cap; protocol must call borrowBehalf(to, amount, market) → Cream credits tokens without full collateral; repayment: protocol repays via repayBehalf(); risk: if protocol doesn't repay → Iron Bank takes bad debt; credit lines approved by Cream governance (CREAM votes); utilization: limited to whitelisted protocols (Yearn, Alpha V2, DeFi Saver, etc.)); CREAM token (ERC-20; total supply: 9M; distribution: 50% liquidity mining, 25% pre-sale, 15% dev/team, 10% reserve; governance: propose + vote 100K CREAM minimum proposer threshold)..]

“Cream Finance Oracle Exploit Analysis: $130M October 2021” — DeFi Security Research, 2021. Detailed technical analysis of the October 2021 Cream Finance oracle manipulation exploit — the specific steps of the $500M flash loan attack, how the attacker caused the yUSD price oracle to reflect manipulated values, the resulting under-collateralized borrowing, and what oracle design choices would have prevented the attack.

“Cream Finance’s Iron Bank: Under-Collateralized Protocol Lending Model” — DeFi Credit Research, 2021–2022. Analysis of Cream Finance’s Iron Bank permissioned under-collateralized lending facility — how Yearn Finance used Iron Bank credit lines to borrow capital for yield strategies (leveraging capital without full collateral), the economic efficiency gains, and the systemic risks of protocol-level credit lines exposed by the Alpha Finance exploit.

“Multi-Chain Lending Protocol Competition: Compound, Aave, Cream, Euler” — DeFi Lending Research, 2021. Comparative analysis of Ethereum’s lending protocol landscape circa 2021 — Compound (conservative, blue-chip assets), Aave (moderate, broader assets + flash loans + stable rates), Cream (aggressive, long-tail assets + LP tokens), Euler (innovative, reactive interest rates + protected collateral) — examining TVL, security incident rates, and the relationship between liberal asset listing and exploit frequency.

“From Cream to Iron Bank: Protocol Evolution After the $130M Exploit” — DeFi Post-Exploit Recovery, 2022. Analysis of how Cream Finance responded to its three-exploit catastrophe — the pivot to Iron Bank as independent protocol, multi-chain wind-down of non-core markets, and the eventual community fork of Iron Bank by Yearn Finance (into “Unit Protocol” style arrangement) — examining whether DeFi protocols can recover after major exploits and what recovery strategies were attempted.