Difference between revisions of "Cream Finance (CREAM)"

From CryptoWiki

 
(2 intermediate revisions by the same user not shown)
Line 15: Line 15:


''"What happens when you [[fork]] Compound and add lending pools for [[DeFi|DeFi’]]s most [[degen]] assets? You get Cream Finance."''
''"What happens when you [[fork]] Compound and add lending pools for [[DeFi|DeFi’]]s most [[degen]] assets? You get Cream Finance."''
* [https://medium.com/@investigationsbyzachxbt/22-000-eth-embezzled-and-over-ten-projects-failed-the-story-of-machi-big-brother-jeff-huang-a1ad073fcfa8 From] [[ZachXBT]] (16-6-2022):
''"Bun Hsu, Jeremy Yang, and Stanley Yang were among Cream’s dev team. As of today, Cream Finance has [https://decrypt.co/84590/cream-finance-suffers-third-hack-losing-over-130-million been exploited] three times for more than $192m USD due to negligence."''
== Audits & Exploits ==
== Audits & Exploits ==


*[[Bug bounty]] program can be found [insert here].
*C.R.E.A.M. [https://immunefi.com/bounty/creamfinance/ offers] an active [[bug bounty]] of $1.25M with [[ImmuneFi|Immunefi]] (16-3-2022).
*[https://defisafety.com/2020/10/24/c-r-e-a-m/ Score] of 83% on [[DeFi Safety]] (12-4-2021): ''"A single quick [https://github.com/trailofbits/publications/blob/master/reviews/CREAMSummary.pdf audit] was performed by a top notch auditing firm; [[Trail of Bits]]. This was done in January and V2 of CREAM appears was deployed around Aug 2020."'' With the [https://t.me/c/1453353094/2852 comment]: ''"Re-did their site, filling in the details needed and now score 83%, pretty solid across the board."''
*Scored 61% on [[DeFi Safety]] (16-3-2022):
*This was after an earlier [https://docs.defisafety.com/finished-reviews/c.r.e.a.m-finance score] of 8% (10-2020). When asked by their team to re-evaluate, DeFi Safety first [https://t.me/c/1453353094/2345 stood by its earlier score] (30-1-2021). But the later improvements changed it.
''"This protocol's software function documentation is also documented in full at this [https://github.com/CreamFi/compound-protocol/blob/master/README.md location]. While C.R.E.A.M. is a fork of Compound, they directly [[state]] this alongside explaining where to find the relevant documentation. There is no evidence of any C.R.E.A.M code coverage, however there is a reasonably complete set of tests. C.R.E.A.M. has not undergone formal verification."''
 
With the [https://t.me/c/1453353094/7872 comment]: ''"To improve their score, C.R.E.A.M. should develop more robust admin control information alongside clearer timelock and pause control documentation."''
*Previously [https://defisafety.com/2020/10/24/c-r-e-a-m/ scored] of 83% (12-4-2021): ''"A single quick [https://github.com/trailofbits/publications/blob/master/reviews/CREAMSummary.pdf audit] was performed by a top notch auditing firm; [[Trail of Bits]]. This was done in January and V2 of CREAM appears was deployed around Aug 2020."'' With the [https://t.me/c/1453353094/2852 comment]: ''"Re-did their site, filling in the details needed and now score 83%, pretty solid across the board."''
*This was after an earlier [https://docs.defisafety.com/finished-reviews/c.r.e.a.m-finance score] of 8% (10-2020). When asked by their team to re-evaluate, [[Defi|DeFi]] Safety first [https://t.me/c/1453353094/2345 stood by its earlier score] (30-1-2021). But the later improvements changed it.
*From the yEarn partnership blog (13-5-2021):
*From the yEarn partnership blog (13-5-2021):


Line 28: Line 37:
*[https://www.coindesk.com/business/2021/11/14/cream-plunges-on-news-that-hack-compensation-will-inflate-token-supply/ From] [[CoinDesk (DESK)|CoinDesk]] (14-11-2021):
*[https://www.coindesk.com/business/2021/11/14/cream-plunges-on-news-that-hack-compensation-will-inflate-token-supply/ From] [[CoinDesk (DESK)|CoinDesk]] (14-11-2021):


''"To recompense victims of the attack, Cream said it will issue to certain affected members 1.45 million CREAM [[tokens]] from the service’s treasury. While Cream has 9 million coins outstanding, per [[CoinMarketCap]], only 150,000 of those are in circulation. By so rapidly expanding the supply of coins in circulation, it’s bound to affect demand and therefore the per-coin price.''
''"To recompense victims of the attack, Cream said it will issue to certain affected members 1.45 million CREAM [[tokens]] from the service’s treasury. While Cream has 9 million coins outstanding, per [[CoinMarketCap]], only 150,000 of those are in circulation. By so rapidly expanding the supply of coins in circulation, it’s bound to affect demand and therefore the per-[[COIN|coin]] price.''


''And affect it it did. The price of the coin fell from around $88 to as low as $51.78, according to [[Messari]], before rebounding to $56.44 in recent trading. Before the exploit on Oct. 27, CREAM was trading above $152."''
''And affect it it did. The price of the coin fell from around $88 to as low as $51.78, according to [[Messari]], before rebounding to $56.44 in recent trading. Before the exploit on Oct. 27, CREAM was trading above $152."''
Line 34: Line 43:
*[https://www.rekt.news/cream-rekt/ From] [[Rekt]] (28-10-2021):
*[https://www.rekt.news/cream-rekt/ From] [[Rekt]] (28-10-2021):


''Cream Finance has been hacked (again) for ~$130 million. That’s position number three on our leaderboard, the second entry for the Cream Finance protocol, and ten positions in total for the [[YEarn (YFI)|Yearn]] Ecosystem. The hacker was able to take advantage of a pricing vulnerability by repeatedly lending and borrowing [[Flash Loan|flash-loaned]] funds across two [[Address|addresses]]. Next, after accumulating yUSDVault-collateralised crYUSD, the price of the underlying yUSDVault token was manipulated in order to effectively double the value of the collateral owned by the attacker. Finally, using the now overvalued collateral, the attacker drained CREAM’s lending vaults of as many assets as possible. A full table of the stolen funds, which include over 2760 [[Ethereum (ETH)|ETH]], a total of 76 [[Bitcoin (BTC)|BTC]] in [[REN (REN)|renBTC]], [[Wrapped Bitcoin (WBTC)|WBTC]] and [[HBTC]], as well as tens of millions in [[stablecoins]] and other tokens, can be found [https://twitter.com/SlowMist_Team/status/1453398034151194627?t=EjgoIA992F938Hoc1oyBVw&s=19 here].''
''Cream Finance has been hacked (again) for ~$130 million. That’s position number three on our leaderboard, the second entry for the Cream Finance protocol, and ten positions in total for the [[YEarn (YFI)|Yearn]] Ecosystem. The hacker was able to take advantage of a pricing vulnerability by repeatedly lending and borrowing [[Flash Loan|flash-loaned]] funds across two [[Address|addresses]]. Next, after accumulating yUSDVault-collateralised crYUSD, the price of the underlying yUSDVault token was manipulated in order to effectively double the value of the collateral owned by the attacker. Finally, using the now overvalued collateral, the attacker drained CREAM’s lending vaults of as [[MANY|many]] assets as possible. A full table of the stolen funds, which include over 2760 [[Ethereum (ETH)|ETH]], a total of 76 [[Bitcoin (BTC)|BTC]] in [[REN (REN)|renBTC]], [[Wrapped Bitcoin (WBTC)|WBTC]] and [[HBTC]], as well as tens of millions in [[stablecoins]] and other tokens, can be found [https://twitter.com/SlowMist_Team/status/1453398034151194627?t=EjgoIA992F938Hoc1oyBVw&s=19 here].''


''Other protocols were named in a mysterious message in the [https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92 main exploit transaction’s input data]; gÃTµ [[Aave (AAVE)|Baave]] lucky, iron bank lucky, cream not. ydev : incest bad, dont do''
''Other protocols were named in a mysterious message in the [https://etherscan.io/tx/0x0fe2542079644e107cbf13690eb9c2c65963ccb79089ff96bfaf8dced2331c92 main exploit transaction’s input data]; gÃTµ [[Aave (AAVE)|Baave]] lucky, iron bank lucky, cream not. ydev : incest bad, dont do''
Line 44: Line 53:
''"Cream Finance returned [https://twitter.com/CreamdotFinance/status/1443909164443439107 $18.8M worth of crypto assets] with an assistance of [[Pascal Caversaccio]] and Lossless."''
''"Cream Finance returned [https://twitter.com/CreamdotFinance/status/1443909164443439107 $18.8M worth of crypto assets] with an assistance of [[Pascal Caversaccio]] and Lossless."''


*[https://www.rekt.news/cream-rekt/ From] Rekt (30-8-2021):
*[https://www.rekt.news/cream-rekt/ From] [[REKT|Rekt]] (30-8-2021):


''"Cream Finance was [https://docs.cream.finance/audit-report audited] by [[Trail of Bits]] (one of the few auditors absent from our leaderboard) on Jan 28th 2021. However, even the strongest audit becomes irrelevant once the protocol is changed. On Feb 10th 2021, the Cream proposal to add the [[Amp (AMP)|AMP]] token came into effect, and the loophole opened up. Although they were involved with the [[Alpha Finance (ALPHA)|Alpha Finance]] incident, this is actually the first direct attack to hit Cream Finance. However, as [[Mudit Gupta|@muditgupta]] pointed out;''
''"Cream Finance was [https://docs.cream.finance/audit-report audited] by [[Trail of Bits]] (one of the few auditors absent from our leaderboard) on Jan 28th 2021. However, even the strongest audit becomes irrelevant once the protocol is changed. On Feb 10th 2021, the Cream proposal to add the [[Amp (AMP)|AMP]] token came into effect, and the loophole opened up. Although they were involved with the [[Alpha Finance (ALPHA)|Alpha Finance]] incident, this is actually the first direct attack to hit Cream Finance. However, as [[Mudit Gupta|@muditgupta]] pointed out;''
Line 78: Line 87:


=== Admin Keys ===
=== Admin Keys ===
*[https://www.defisafety.com/pqrs/420 From] [[DeFi Safety]] (16-3-2022):
''"The relevant contracts are not identified as [[immutable]]. While this is inferred via the voting process, it is unclear precisely in documentation. Ownership is not clearly indicated C.R.E.A.M.'s documentation. Some staking [[contract]] permissions are identified, but this requires more [https://docs.cream.finance/eth2/why-stake-in-ethereum-2.0#risks-you-should-know-before-staking clarity]. Smart contract change capabilities are inferred but not clearly identified in the contracts. This protocol's pause control is documented but not explained in this [https://github.com/CreamFi/compound-protocol/blob/master/contracts/Comptroller.sol location]. There is no evidence of regular testing. It is a [[fork]] of [[Compound (COMP)|Compound's]] pause guardian.C.R.E.A.M. has no [[timelock]] documentation."''
*In the [https://medium.com/iearn/yearn-cream-v2-merger-e9fa6c6989b4 announcement] of the merger with [[yEarn]] it the following was also mentioned as an update (26-11-2020):
"''CREAM [[multi-sig]] keys will be rotated to facilitate rapid iteration, testing, and deployment."''


*From their [https://twitter.com/CreamdotFinance twitter] (16-8-2020):
*From their [https://twitter.com/CreamdotFinance twitter] (16-8-2020):


''"Token and protocol [[admin keys]] are moving into a [[multisig]] this week, governed by community leaders. We welcome @[[Compound (COMP)|compoundfinance]] onboard as our technical and security advisor. Thank you multisig holders  @[[Leshner|rleshner]] @pet3rpan_ @[[QCP Capital|QCPCapital]] @[[Andrew Kang|Rewkang]] & more."''
''"Token and protocol [[admin keys]] are moving into a [[multisig]] this week, governed by community leaders. We welcome @[[Compound (COMP)|compoundfinance]] onboard as our technical and security advisor. Thank you multisig holders  @[[Leshner|rleshner]] @pet3rpan_ @[[QCP Capital|QCPCapital]] @[[Andrew Kang|Rewkang]] & more."''
* In the [https://medium.com/iearn/yearn-cream-v2-merger-e9fa6c6989b4 announcement] of the merger with [[yEarn]] it the following was also mentioned as an update (26-11-2020):
"''CREAM [[multi-sig]] keys will be rotated to facilitate rapid iteration, testing, and deployment."''
=== DAO ===
=== DAO ===
* According to their [https://medium.com/cream-finance/announcing-c-r-e-a-m-swap-a7b318f19f6 announcement] (4-9-2020) [https://medium.com/cream-finance/c-r-e-a-m-dao-community-governance-fc1bd5ade10b?source=---------14------------------ there is] also a C.R.E.A.M [[DAO]].
* According to their [https://medium.com/cream-finance/announcing-c-r-e-a-m-swap-a7b318f19f6 announcement] (4-9-2020) [https://medium.com/cream-finance/c-r-e-a-m-dao-community-governance-fc1bd5ade10b?source=---------14------------------ there is] also a C.R.E.A.M [[DAO]].
Line 146: Line 157:


=== Utility ===
=== Utility ===
* The CREAM token allows users to lend, borrow, [[stake]] or swap assets and help govern the network, allowing them to vote on assets to support or delist ([https://coinmarketcap.com/currencies/cream-finance/ 13-5-2021]).
* The CREAM token allows users to [[LEND|lend]], borrow, [[stake]] or swap assets and help govern the network, allowing them to vote on assets to support or delist ([https://coinmarketcap.com/currencies/cream-finance/ 13-5-2021]).


* [https://research.binance.com/en/projects/cream-finance From] [[Binance|Binance Research]] (16-9-2020):
* [https://research.binance.com/en/projects/cream-finance From] [[Binance|Binance Research]] (16-9-2020):
Line 159: Line 170:
"''[[FTX (FTT)|FTT]] dominates over 50% of the total [[liquidity]] on Cream Finance. Cream [[governance]] last week voted to partially delist FTT from the platform, reducing its borrowing power, as a response."''
"''[[FTX (FTT)|FTT]] dominates over 50% of the total [[liquidity]] on Cream Finance. Cream [[governance]] last week voted to partially delist FTT from the platform, reducing its borrowing power, as a response."''
== Tech ==
== Tech ==
* [[Whitepaper]] can be found [insert here].
* [[Whitepaper]] can be found [https://docs.cream.finance/ here].
* Code can be viewed [insert here].
* Code can be viewed [https://github.com/CreamFi/compound-protocol here]. [https://www.defisafety.com/pqrs/420 From] [[DeFi Safety]] (16-3-2022):
''"With 312 commits and 27 branches, C.R.E.A.M 's main smart contract repository is the cream of the crop."''


=== Implementations ===
=== Implementations ===
Line 195: Line 207:
== Oracle Method ==
== Oracle Method ==


* [https://docs.cream.finance/lending/price-oracle Uses] [[Chainlink (LINK)|Chainlink]] as primary [[oracle]] (5-2021).
* [https://www.defisafety.com/pqrs/420 From] [[DeFi Safety]] (16-3-2022):
''"This protocol documents no [[Frontrunners|front running]] mitigation techniques. However, as this is primarily a lending protocol, this does not apply. This protocol documents no [[Flash Loan|flashloan]] countermeasures. This is alarming considered the history this protocol has with flashloan attacks."''
*[https://docs.cream.finance/lending/price-oracle Uses] [[Chainlink (LINK)|Chainlink]] as primary [[oracle]] (5-2021).
*From a [[Band Protocol (BAND)|Band Protocol]] [https://medium.com/bandprotocol/band-protocol-may-2021-community-update-c357f495ee63 update] (3-6-2021):
*From a [[Band Protocol (BAND)|Band Protocol]] [https://medium.com/bandprotocol/band-protocol-may-2021-community-update-c357f495ee63 update] (3-6-2021):


Line 204: Line 218:


''"No personal documentation or credit checks are required to borrow cryptocurrency on Cream Finance and there is also no time limit on when you must pay back the loan."''
''"No personal documentation or credit checks are required to borrow cryptocurrency on Cream Finance and there is also no time limit on when you must pay back the loan."''
== Compliance ==


== Their Other Projects ==
== Their Other Projects ==
Line 249: Line 261:
''"C.R.E.A.M. makes significant revenue as a [[validator]] on [[Binance|BSC]] and [[Fantom (FTM)|Fantom]]. C.R.E.A.M. launched its BSC [[node]] in May and became a top five validator within a week. Not only is CREAM helping to [[Decentralized|decentralize]] these networks, but it’s on track to contribute more than $2M annually to C.R.E.A.M.’s treasury."''
''"C.R.E.A.M. makes significant revenue as a [[validator]] on [[Binance|BSC]] and [[Fantom (FTM)|Fantom]]. C.R.E.A.M. launched its BSC [[node]] in May and became a top five validator within a week. Not only is CREAM helping to [[Decentralized|decentralize]] these networks, but it’s on track to contribute more than $2M annually to C.R.E.A.M.’s treasury."''
== Roadmap ==
== Roadmap ==
* Can be found [Insert link here].
* Can be found [Insert [[LINK|link]] here].
* In the [https://medium.com/iearn/yearn-cream-v2-merger-e9fa6c6989b4 announcement] of the merger with [[yEarn]] it the following was also mentioned as an update (26-11-2020):
* In the [https://medium.com/iearn/yearn-cream-v2-merger-e9fa6c6989b4 announcement] of the merger with [[yEarn]] it the following was also mentioned as an update (26-11-2020):
''"Cream Lending Protocol v2. A focused lending product with a shortlist of Blue Chip tokens accepted as collateral."''
''"Cream Lending Protocol v2. A focused lending product with a shortlist of Blue Chip tokens accepted as collateral."''
Line 287: Line 299:
=== Pros ===
=== Pros ===
=== Cons ===
=== Cons ===
* Multiple of CREAM core members got [https://medium.com/@investigationsbyzachxbt/22-000-eth-embezzled-and-over-ten-projects-failed-the-story-of-machi-big-brother-jeff-huang-a1ad073fcfa8 implicated] in fraud by an expose of [[ZachXBT]] (16-6-2022).
== Team, Funding and Partners ==
== Team, Funding and Partners ==
=== Team ===
=== Team ===
Line 298: Line 313:


''"The core Cream Finance team to consist of four people: founder Jeffrey Huang and three developers with extensive computer science backgrounds, one of which has also worked on [[OMG Network (OMG)|OmiseGo]] and [[Ethereum (ETH)|Ethereum]]."''
''"The core Cream Finance team to consist of four people: founder Jeffrey Huang and three developers with extensive computer science backgrounds, one of which has also worked on [[OMG Network (OMG)|OmiseGo]] and [[Ethereum (ETH)|Ethereum]]."''
* Multiple of CREAM core members got [https://medium.com/@investigationsbyzachxbt/22-000-eth-embezzled-and-over-ten-projects-failed-the-story-of-machi-big-brother-jeff-huang-a1ad073fcfa8 implicated] in fraud by an expose of [[ZachXBT]] (16-6-2022).


=== Funding ===
=== Funding ===

Latest revision as of 10:27, 11 July 2022

"C.R.E.A.M Finance is a decentralized peer-to-peer (P2P) DeFi platform that provides lending, borrowing, swap, payment and tokenization services for digital assets. The C.R.E.A.M. Finance protocol was created as a Compound Finance fork, while its C.R.E.A.M. SWAP exchange is based on the code of Balancer Labs."

Cream Finance
TypeLending Protocol
Total supply2 992 500 CREAM

Basics

History

"What happens when you fork Compound and add lending pools for DeFi’s most degen assets? You get Cream Finance."

"Bun Hsu, Jeremy Yang, and Stanley Yang were among Cream’s dev team. As of today, Cream Finance has been exploited three times for more than $192m USD due to negligence."

Audits & Exploits

"This protocol's software function documentation is also documented in full at this location. While C.R.E.A.M. is a fork of Compound, they directly state this alongside explaining where to find the relevant documentation. There is no evidence of any C.R.E.A.M code coverage, however there is a reasonably complete set of tests. C.R.E.A.M. has not undergone formal verification."

With the comment: "To improve their score, C.R.E.A.M. should develop more robust admin control information alongside clearer timelock and pause control documentation."

  • Previously scored of 83% (12-4-2021): "A single quick audit was performed by a top notch auditing firm; Trail of Bits. This was done in January and V2 of CREAM appears was deployed around Aug 2020." With the comment: "Re-did their site, filling in the details needed and now score 83%, pretty solid across the board."
  • This was after an earlier score of 8% (10-2020). When asked by their team to re-evaluate, DeFi Safety first stood by its earlier score (30-1-2021). But the later improvements changed it.
  • From the yEarn partnership blog (13-5-2021):

"An audit of C.R.E.A.M. v1 and v2/Iron Bank with Trail of Bits was completed in January. No high severity vulnerabilities were identified."

Bugs/Exploits

"To recompense victims of the attack, Cream said it will issue to certain affected members 1.45 million CREAM tokens from the service’s treasury. While Cream has 9 million coins outstanding, per CoinMarketCap, only 150,000 of those are in circulation. By so rapidly expanding the supply of coins in circulation, it’s bound to affect demand and therefore the per-coin price.

And affect it it did. The price of the coin fell from around $88 to as low as $51.78, according to Messari, before rebounding to $56.44 in recent trading. Before the exploit on Oct. 27, CREAM was trading above $152."

Cream Finance has been hacked (again) for ~$130 million. That’s position number three on our leaderboard, the second entry for the Cream Finance protocol, and ten positions in total for the Yearn Ecosystem. The hacker was able to take advantage of a pricing vulnerability by repeatedly lending and borrowing flash-loaned funds across two addresses. Next, after accumulating yUSDVault-collateralised crYUSD, the price of the underlying yUSDVault token was manipulated in order to effectively double the value of the collateral owned by the attacker. Finally, using the now overvalued collateral, the attacker drained CREAM’s lending vaults of as many assets as possible. A full table of the stolen funds, which include over 2760 ETH, a total of 76 BTC in renBTC, WBTC and HBTC, as well as tens of millions in stablecoins and other tokens, can be found here.

Other protocols were named in a mysterious message in the main exploit transaction’s input data; gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do

In Mudit Gupta’s Observations and Theories about the attack, he points out several reasons why he believes the hacker, (or hackers) to be experienced DeFi developers, and how it is not the average black hat attack.

"Cream Finance returned $18.8M worth of crypto assets with an assistance of Pascal Caversaccio and Lossless."

"Cream Finance was audited by Trail of Bits (one of the few auditors absent from our leaderboard) on Jan 28th 2021. However, even the strongest audit becomes irrelevant once the protocol is changed. On Feb 10th 2021, the Cream proposal to add the AMP token came into effect, and the loophole opened up. Although they were involved with the Alpha Finance incident, this is actually the first direct attack to hit Cream Finance. However, as @muditgupta pointed out;

seems like [Cream] would have been safe had they just added reentrancy protection on their borrow/lend function."

"Cream Finance patched a bug in a discontinued mining rewards contracts after it was responsibly disclosed by Armor’s Azeem."

"Cream Finance has written $1.3 million in bad debt due to a crash in the price of SWAG tokens. The tokens were used as collateral in one of Cream Finance's liquidity pools. Cream Finance will pay users from its reserves."

"Hackers compromised PancakeSwap’s and Cream Finance’s websites yesterday. The Domain Name Service (DNS) attack modified the affected protocols’ website to display a request for the user’s seed phrase, which, if submitted, would compromise their entire account. Because the attack was not on a smart contract itself it is still unclear how many users the hacker tricked into sending their seed phrase as well as the total amount the attack netted."

  1. "The attackers is the only user who is in the (announced) sUSD pool for Alpha Homora
  2. The attacker borrows ETH from Cream’s Ironbank by using the sUSD as collateral
  3. The attacker then repay the debt accrued from borrowing the sUSD, however due to a very minor borrowing error he is able to profit a very tiny amount through this exploit
  4. The method to make this tiny profit is then re-executed multiple times in order to reach a size where the profit exceeds well into the 7 figure range
  5. The hacker has outstanding debt to the Ironbank via Alpha Homora but of course is never going to repay it
  6. Hacker starts washing funds through Tornado and gives a friendly donation of 1,000 ETH to Alpha and Cream in the process

Important clarification: Cream lenders haven’t directly lost money but they have an outstanding loan from Alpha Homora that needs to be repaid. Alpha as a platform is a borrower on Cream similar to if the ALPHA token was used as collateral.

What’s interesting here is that Alpha received 2 audits and yet this exploit still happened. The exploit is so complex it took many researchers and developers hours to truly understand what really went down suggesting that even the existing audit capabilities we have don’t fully measure up."

Governance

Admin Keys

"The relevant contracts are not identified as immutable. While this is inferred via the voting process, it is unclear precisely in documentation. Ownership is not clearly indicated C.R.E.A.M.'s documentation. Some staking contract permissions are identified, but this requires more clarity. Smart contract change capabilities are inferred but not clearly identified in the contracts. This protocol's pause control is documented but not explained in this location. There is no evidence of regular testing. It is a fork of Compound's pause guardian.C.R.E.A.M. has no timelock documentation."

  • In the announcement of the merger with yEarn it the following was also mentioned as an update (26-11-2020):

"CREAM multi-sig keys will be rotated to facilitate rapid iteration, testing, and deployment."

"Token and protocol admin keys are moving into a multisig this week, governed by community leaders. We welcome @compoundfinance onboard as our technical and security advisor. Thank you multisig holders @rleshner @pet3rpan_ @QCPCapital @Rewkang & more."

DAO

"While the project had been hinting a transition to a DAO since it was released, this was officially announced by Cream Finance on September 2nd. While Cream Finance’s DAO is still in development, the Medium posts seems to indicate that it will take bits and pieces from other projects such as Aragon to build it. CREAM token holders will have governance, though it is unclear how voting will work at the current time."

Listing Committee

  • From their blog (24-6-2021):

"The Listing Committee votes on:

  1. Asset Listing
  2. Reserve Factors
  3. Collateral Factors
  4. Collateral Caps

Which C.R.E.A.M. markets will the listing committee vote on? Ethereum V1, BSC, Arbitrum, and Fantom

There are five members of the Listing Committee — three must vote ‘yes’ in order for a proposal to pass. The default time for voting is three days, but the committee can take up to five days."

Treasury

  • From their blog (4-10-2020):

"We have renamed the remaining balance of the Liquidity Mining allocation to simply Treasury, which will serve to further provide incentives for two upcoming products in the pipeline and provide funding for future projects."

"On Ethereum C.R.E.A.M. v1, we converted revenues from 47 assets into $1,522,339.12 in stable coins. We then invested these stables into yield-generating stables (yvusdp3CRV $715,235.42; yvCurve-IronBank $721,224.61) and ETH (9.85).

On C.R.E.A.M. BSC, we converted 80% of revenues from 26 assets into $465K of BUSD. These funds were then redeposited into C.R.E.A.M. BSC to earn a yield.

In total, C.R.E.A.M. now has $7M in our treasury derived from protocol fees. Additionally, the 20% of fees generated from Ethereum and BSC lending platforms continue to serve as a liquidity and reserve in our markets."

Token

Launch

Token allocation

"Users who create and deposit into liquidity pools on Swap will receive a proof token named CRPT (Cream Pool Token), similar to how Balancer has BPT and Uniswap has UNI for their liquidity providers. At the start, all exchange fees will be set to 0.25%. Liquidity providers will receive 0.2%, while the other 0.05% will go to the CREAM network."

"The tokens have been allocated as follows:

  1. 10% (900,000) of tokens will go to the team and advisors, 75% of which will vest over four years and a six month cliff;
  2. 10% will be used as seed with four years vesting (one year cliff);
  3. 20% (1.8 million) CREAM will be used to incentivize liquidity providers;
  4. 60 (5.4 million) is allocated for governance.

*25% of the team allocation, 225,000 CREAM, has been allocated to our technical and security advisor Compound Finance, distributed monthly, 37,500 per month. These tokens are legally locked. They will not enter circulation until February 8th, 2021.

We have moved 8,325,000, 92.5% of CREAM tokens into the multisig wallet."

  • Made a move to burn 67.5% of their supply (19-9-2020):

"This burn will include 100% of the “governance” tokens, and 75% of the Seed tokens. Governance does not necessarily need to govern token treasury. Yearn Finance’s governance does not, and that is the norm so far. Even by burning all of the Governance allocation, C.R.E.A.M. still has plenty of collected fees and tokens in the treasury. Thanks to our seed investors and their continued support and sacrifices for the project, they have agreed to a 75% burn in exchange for accelerated vesting of 1-year, monthly vesting.

We have renamed the remaining balance of the Liquidity Mining allocation to simply Treasury, which will serve to further provide incentives for two upcoming products in the pipeline and provide funding for future projects."

  • Issued 1.45 million CREAM tokens after an exploit to compensate users (14-11-2021).

Utility

  • The CREAM token allows users to lend, borrow, stake or swap assets and help govern the network, allowing them to vote on assets to support or delist (13-5-2021).

"A portion of interest as well as transaction fees are collected by the platform, and distributed to CREAM token holders as rewards."

Token Details

Coin Distribution

"FTT dominates over 50% of the total liquidity on Cream Finance. Cream governance last week voted to partially delist FTT from the platform, reducing its borrowing power, as a response."

Tech

"With 312 commits and 27 branches, C.R.E.A.M 's main smart contract repository is the cream of the crop."

Implementations

How it works

"Rather than interest rates being set by individuals, they are determined algorithmically based on the proportion of assets lent out."

"As with Compound Finance, to borrow cryptocurrency on Cream Finance you need to deposit an amount of cryptocurrency (in USD) which is greater than the amount of cryptocurrency you will be borrowing (in USD). This deposited crypto is referred to as collateral and having more money deposited than you are borrowing is referred to as overcollateralization. You are currently allowed to borrow up to 60% of the USD value of the cryptocurrency you deposited. This may change in the future as the collateralization requirement has already changed twice since the protocol was launched. This is slightly less than the 66% you are able to borrow on Compound Finance."

Staking

"CREAM tokens can be staked for a period of up to four years in order to accrue rewards; however, it is important to note that there is no admin unlock available.Therefore, you will only receive your rewards at the end of your staking period."

Liquidity Mining

"We will launch with more liquidity mining incentives, paid in CREAM tokens. Users on our platform can provide liquidity and earn CREAM tokens in addition to trading fees. Only pools from whitelisted tokens will be eligible for CREAM distributions."

  • From their blog (4-10-2020):

"We have renamed the remaining balance of the Liquidity Mining allocation to simply Treasury, which will serve to further provide incentives for two upcoming products in the pipeline and provide funding for future projects."

Scaling

Interoperability

Other Details

Oracle Method

"This protocol documents no front running mitigation techniques. However, as this is primarily a lending protocol, this does not apply. This protocol documents no flashloan countermeasures. This is alarming considered the history this protocol has with flashloan attacks."

"CREAM has completed integration with Band Protocol price oracles on Binance Smart Chain and Fantom — upgrading all lending markets to use $BAND oracles."

Privacy Method

"No personal documentation or credit checks are required to borrow cryptocurrency on Cream Finance and there is also no time limit on when you must pay back the loan."

Their Other Projects

Coordinape

  • From their blog (15-3-2021):

"We are introducing Coordinape: a scalable and permissionless platform to decentralize operations at Yearn and help compensate contributors more effectively. Coordinape will be used to distribute community grants in a decentralized manner. Any individual who has ever received a recurring or community grant will receive an allocation of 100 GIVE tokens. These tokens can be allocated to contributors in the Yearn community to split half of the monthly community grant budget. Salaried Yearn contributors are only eligible to allocate GIVE tokens since they already receive monthly compensation."

CreamSwap

"A native AMM allowing traders to enter and exit convoluted DeFi strategies without having to unwrap, unstake and sell positions composed of numerous assets across a multitude of protocols. For example, users can go from yyCRV, a liquidity provision in Curve staked via a yEarn yVault, directly to USDC, rather than having to unstake and withdraw for ~$100 in gas.

Creamy

Cross-Protocol Flash Loans

"As it will work in Yearn Finance, strategists will have the ability to use the flash loans to optimize returns on their assets at lower costs (Yearn Finance integrates several protocols, saving users gas fees). In addition to the Ethereum ecosystem, the instant loans will also be available on Binance Smart Chain and Fantom through Cream V1."

Iron Bank

"The Iron Bank is CREAM’s paradigm-shifting protocol-to-protocol lending platform and liquidity backstop for the entire DeFi ecosystem."

"What the Iron Bank allows for is protocol to protocol zero collateral lending meaning that a protocol like yEarn or Alpha Finance can borrow assets from Cream without having to overcollateralize. This is possible because Cream can trust the the yEarn protocol itself will pay back the assets that it borrows. Of course, to make this all work requires the coordination and cooperation of the yEarn, Cream and Alpha Finance teams."

"Driven by high yields via Yearn’s use of its veCRV, the crvIB yVault reached $140M less than a month after launch."

Validator Activity

"C.R.E.A.M. makes significant revenue as a validator on BSC and Fantom. C.R.E.A.M. launched its BSC node in May and became a top five validator within a week. Not only is CREAM helping to decentralize these networks, but it’s on track to contribute more than $2M annually to C.R.E.A.M.’s treasury."

Roadmap

  • Can be found [Insert link here].
  • In the announcement of the merger with yEarn it the following was also mentioned as an update (26-11-2020):

"Cream Lending Protocol v2. A focused lending product with a shortlist of Blue Chip tokens accepted as collateral."

Usage

"In under a month since launch, Cream has aggregated more than $300M in TVL, according to DeFi Pulse, largely thanks to CREAM liquidity mining rewards. What started as a lending protocol for trendy DeFi tokens like SUSHI, yETH, and yyCRV has quickly blossomed into a vibrant market of 19 assets and counting, many of which are only available for lending on Cream."

"Driven by high yields via Yearn’s use of its veCRV, the crvIB yVault reached $140M less than a month after launch. C.R.E.A.M. volume on BSC is up 5x since year’s start (usage around October’s launch was driven by liquidity incentives). The protocol is seeing 1000s of new users on B.S.C. each week."

  • After touching a TVL high of above $800M in 2-2021, it has gone down to $328M (13-5-2021).

Projects that use or built on it

yEarn and Cream relationship

  1. "Cream & Yearn merge development resources
  2. Cream & Yearn TVL increases
  3. Yearn vault shares serve as collateral in Cream
  4. Yearn vault strategies get access to leverage through Cream
  5. Cream specializes in lending-related products
  6. Cream becomes the launchpad for Stable Credit
  7. Yearn & Cream launch a new 0 collateral protocol credit solution
  8. Pair lending" 

Competition

  • From Decrypt (30-9-2020), on how it differentiates itself from Compound:

"On CREAM, users can turn these otherwise unproductive assets into yield producing assets or collateral for leveraged trading. While technically simple, this simple change to Compound added genuine value to many users. In recent weeks, CREAM has also added Cream Swap, a fork of Balancer, and has announced plans to launch a new AMM called Creamy."

Pros and Cons

Pros

Cons

  • Multiple of CREAM core members got implicated in fraud by an expose of ZachXBT (16-6-2022).

Team, Funding and Partners

Team

  • Full team can be found [here].

"SWAG’s founder is believed to be the founder of cream.finance: Jeffery Huang, who is not only a crypto OG, but also brother of a famous Taiwanese singer Stanley Huang."

"The core Cream Finance team to consist of four people: founder Jeffrey Huang and three developers with extensive computer science backgrounds, one of which has also worked on OmiseGo and Ethereum."

  • Multiple of CREAM core members got implicated in fraud by an expose of ZachXBT (16-6-2022).

Funding

"With the launch of C.R.E.A.M.'s new tokenomics, $iceCream, 50% of protocol revenues are distributed to iceCream holders. Since launch (4 weeks ago), iceCream stakers have earned 239,254 yvcrvIB, ~35% APR. According to Token Terminal, the C.R.E.A.M. protocol has collected $734.3k of protocol fees over the last 30-days. Annualizing this data, puts C.R.E.A.M. on a run-rate of $8.8M of protocol fees per year."

Partners 

(:

Knowledge empowers us all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31