Authors
Idle Treasury Leagues
Summary
This proposal removes Cream from idleFEI Best-Yield pool. With its execution, the pool will deploy funds in Aave v2 and Fuse pool #8.
Rationale
Cream protocol suffered a $130m loss on 27th October 2021, making it the third-largest DeFi hack in history.
The attackers found a vulnerability in the platform’s lending system and used it to steal Cream’s assets. The attacker used a complex blend of collateral/borrow transaction and inflated the price of yUSD to game Cream collateralization ratio and leave a $130m underwater loan.
Technical analysis of the attack is available here.
The Integration Standard Requirements evaluate losses on a case-by-case basis. Hacks directly related to protocol’s smart contracts represent a red flag, especially when there are no mitigation mechanisms and the maximum stolen amount is equal to the protocol’s TVL, like in this case.
Following this incident, Cream can no longer be compatible with Idle’s risk profile and Leagues propose to remove it from idleFEI (the only pool supporting it).
There are no material risks on Idle side, as the rebalancer already paused any possible Cream deposit, but this proposal would finalize the protocol deactivation.
Specifications
The technical implementation will be developed by Dev League.
Actions:
- Remove Cream protocol from idleFEI: 1 action
Next Steps
We are going to leave this thread open for comments regarding this proposal, and in about 48hrs, if there are no objections, we will proceed with the Temperature Check.