Idle Treasury Leagues
Cream protocol suffered a $130m loss on 27th October 2021, making it the third-largest DeFi hack in history.
The attackers found a vulnerability in the platform’s lending system and used it to steal Cream’s assets. The attacker used a complex blend of collateral/borrow transaction and inflated the price of yUSD to game Cream collateralization ratio and leave a $130m underwater loan.
Technical analysis of the attack is available here.
The Integration Standard Requirements evaluate losses on a case-by-case basis. Hacks directly related to protocol’s smart contracts represent a red flag, especially when there are no mitigation mechanisms and the maximum stolen amount is equal to the protocol’s TVL, like in this case.
Following this incident, Cream can no longer be compatible with Idle’s risk profile and Leagues propose to remove it from idleFEI (the only pool supporting it).
There are no material risks on Idle side, as the rebalancer already paused any possible Cream deposit, but this proposal would finalize the protocol deactivation.
The technical implementation will be developed by Dev League.
- Remove Cream protocol from idleFEI: 1 action
We are going to leave this thread open for comments regarding this proposal, and in about 48hrs, if there are no objections, we will proceed with the Temperature Check.