Cream Finance (CREAM)

From CryptoCurrency Wiki

(Redirected from CREAM)

"C.R.E.A.M Finance is a decentralized peer-to-peer (P2P) DeFi platform that provides lending, borrowing, swap, payment and tokenization services for digital assets. The C.R.E.A.M. Finance protocol was created as a Compound Finance fork, while its C.R.E.A.M. SWAP exchange is based on the code of Balancer Labs."Lua error: Cannot create process: proc_open is not available. Check PHP's "disable_functions" configuration directive.

Basics

History

"What happens when you fork Compound and add lending pools for DeFi’s most degen assets? You get Cream Finance."

Audits & Exploits

"This protocol's software function documentation is also documented in full at this location. While C.R.E.A.M. is a fork of Compound, they directly state this alongside explaining where to find the relevant documentation. There is no evidence of any C.R.E.A.M code coverage, however there is a reasonably complete set of tests. C.R.E.A.M. has not undergone formal verification."

With the comment: "To improve their score, C.R.E.A.M. should develop more robust admin control information alongside clearer timelock and pause control documentation."

  • Previously scored of 83% (12-4-2021): "A single quick audit was performed by a top notch auditing firm; Trail of Bits. This was done in January and V2 of CREAM appears was deployed around Aug 2020." With the comment: "Re-did their site, filling in the details needed and now score 83%, pretty solid across the board."
  • This was after an earlier score of 8% (10-2020). When asked by their team to re-evaluate, DeFi Safety first stood by its earlier score (30-1-2021). But the later improvements changed it.
  • From the yEarn partnership blog (13-5-2021):

"An audit of C.R.E.A.M. v1 and v2/Iron Bank with Trail of Bits was completed in January. No high severity vulnerabilities were identified."

Bugs/Exploits

"To recompense victims of the attack, Cream said it will issue to certain affected members 1.45 million CREAM tokens from the service’s treasury. While Cream has 9 million coins outstanding, per CoinMarketCap, only 150,000 of those are in circulation. By so rapidly expanding the supply of coins in circulation, it’s bound to affect demand and therefore the per-coin price.

And affect it it did. The price of the coin fell from around $88 to as low as $51.78, according to Messari, before rebounding to $56.44 in recent trading. Before the exploit on Oct. 27, CREAM was trading above $152."

Cream Finance has been hacked (again) for ~$130 million. That’s position number three on our leaderboard, the second entry for the Cream Finance protocol, and ten positions in total for the Yearn Ecosystem. The hacker was able to take advantage of a pricing vulnerability by repeatedly lending and borrowing flash-loaned funds across two addresses. Next, after accumulating yUSDVault-collateralised crYUSD, the price of the underlying yUSDVault token was manipulated in order to effectively double the value of the collateral owned by the attacker. Finally, using the now overvalued collateral, the attacker drained CREAM’s lending vaults of as many assets as possible. A full table of the stolen funds, which include over 2760 ETH, a total of 76 BTC in renBTC, WBTC and HBTC, as well as tens of millions in stablecoins and other tokens, can be found here.

Other protocols were named in a mysterious message in the main exploit transaction’s input data; gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, dont do

In Mudit Gupta’s Observations and Theories about the attack, he points out several reasons why he believes the hacker, (or hackers) to be experienced DeFi developers, and how it is not the average black hat attack.

"Cream Finance returned $18.8M worth of crypto assets with an assistance of Pascal Caversaccio and Lossless."

"Cream Finance was audited by Trail of Bits (one of the few auditors absent from our leaderboard) on Jan 28th 2021. However, even the strongest audit becomes irrelevant once the protocol is changed. On Feb 10th 2021, the Cream proposal to add the AMP token came into effect, and the loophole opened up. Although they were involved with the Alpha Finance incident, this is actually the first direct attack to hit Cream Finance. However, as @muditgupta pointed out;

seems like [Cream] would have been safe had they just added reentrancy protection on their borrow/lend function."

"Cream Finance patched a bug in a discontinued mining rewards contracts after it was responsibly disclosed by Armor’s Azeem."

"Cream Finance has written $1.3 million in bad debt due to a crash in the price of SWAG tokens. The tokens were used as collateral in one of Cream Finance's liquidity pools. Cream Finance will pay users from its reserves."

"Hackers compromised PancakeSwap’s and Cream Finance’s websites yesterday. The Domain Name Service (DNS) attack modified the affected protocols’ website to display a request for the user’s seed phrase, which, if submitted, would compromise their entire account. Because the attack was not on a smart contract itself it is still unclear how many users the hacker tricked into sending their seed phrase as well as the total amount the attack netted."

  1. "The attackers is the only user who is in the (announced) sUSD pool for Alpha Homora
  2. The attacker borrows ETH from Cream’s Ironbank by using the sUSD as collateral
  3. The attacker then repay the debt accrued from borrowing the sUSD, however due to a very minor borrowing error he is able to profit a very tiny amount through this exploit
  4. The method to make this tiny profit is then re-executed multiple times in order to reach a size where the profit exceeds well into the 7 figure range
  5. The hacker has outstanding debt to the Ironbank via Alpha Homora but of course is never going to repay it
  6. Hacker starts washing funds through Tornado and gives a friendly donation of 1,000 ETH to Alpha and Cream in the process

Important clarification: Cream lenders haven’t directly lost money but they have an outstanding loan from Alpha Homora that needs to be repaid. Alpha as a platform is a borrower on Cream similar to if the ALPHA token was used as collateral.

What’s interesting here is that Alpha received 2 audits and yet this exploit still happened. The exploit is so complex it took many researchers and developers hours to truly understand what really went down suggesting that even the existing audit capabilities we have don’t fully measure up."

Governance

Admin Keys

"The relevant contracts are not identified as immutable. While this is inferred via the voting process, it is unclear precisely in documentation. Ownership is not clearly indicated C.R.E.A.M.'s documentation. Some staking contract permissions are identified, but this requires more clarity. Smart contract change capabilities are inferred but not clearly identified in the contracts. This protocol's pause control is documented but not explained in this location. There is no evidence of regular testing. It is a fork of Compound's pause guardian.C.R.E.A.M. has no timelock documentation."

  • In the announcement of the merger with yEarn it the following was also mentioned as an update (26-11-2020):

"CREAM multi-sig keys will be rotated to facilitate rapid iteration, testing, and deployment."

"Token and protocol admin keys are moving into a multisig this week, governed by community leaders. We welcome @compoundfinance onboard as our technical and security advisor. Thank you multisig holders @rleshner @pet3rpan_ @QCPCapital @Rewkang & more."

DAO

"While the project had been hinting a transition to a DAO since it was released, this was officially announced by Cream Finance on September 2nd. While Cream Finance’s DAO is still in development, the Medium posts seems to indicate that it will take bits and pieces from other projects such as Aragon to build it. CREAM token holders will have governance, though it is unclear how voting will work at the current time."

Listing Committee

  • From their blog (24-6-2021):

"The Listing Committee votes on:

  1. Asset Listing
  2. Reserve Factors
  3. Collateral Factors
  4. Collateral Caps

Which C.R.E.A.M. markets will the listing committee vote on? Ethereum V1, BSC, Arbitrum, and Fantom

There are five members of the Listing Committee — three must vote ‘yes’ in order for a proposal to pass. The default time for voting is three days, but the committee can take up to five days."

Treasury

  • From their blog (4-10-2020):

"We have renamed the remaining balance of the Liquidity Mining allocation to simply Treasury, which will serve to further provide incentives for two upcoming products in the pipeline and provide funding for future projects."

"On Ethereum C.R.E.A.M. v1, we converted revenues from 47 assets into $1,522,339.12 in stable coins. We then invested these stables into yield-generating stables (yvusdp3CRV $715,235.42; yvCurve-IronBank $721,224.61) and ETH (9.85).

On C.R.E.A.M. BSC, we converted 80% of revenues from 26 assets into $465K of BUSD. These funds were then redeposited into C.R.E.A.M. BSC to earn a yield.

In total, C.R.E.A.M. now has $7M in our treasury derived from protocol fees. Additionally, the 20% of fees generated from Ethereum and BSC lending platforms continue to serve as a liquidity and reserve in our markets."

Token

Launch

Token allocation

"Users who create and deposit into liquidity pools on Swap will receive a proof token named CRPT (Cream Pool Token), similar to how Balancer has BPT and Uniswap has UNI for their liquidity providers. At the start, all exchange fees will be set to 0.25%. Liquidity providers will receive 0.2%, while the other 0.05% will go to the CREAM network."

"The tokens have been allocated as follows:

  1. 10% (900,000) of tokens will go to the team and advisors, 75% of which will vest over four years and a six month cliff;
  2. 10% will be used as seed with four years vesting (one year cliff);
  3. 20% (1.8 million) CREAM will be used to incentivize liquidity providers;
  4. 60 (5.4 million) is allocated for governance.

*25% of the team allocation, 225,000 CREAM, has been allocated to our technical and security advisor Compound Finance, distributed monthly, 37,500 per month. These tokens are legally locked. They will not enter circulation until February 8th, 2021.

We have moved 8,325,000, 92.5% of CREAM tokens into the multisig wallet."

  • Made a move to burn 67.5% of their supply (19-9-2020):

"This burn will include 100% of the “governance” tokens, and 75% of the Seed tokens. Governance does not necessarily need to govern token treasury. Yearn Finance’s governance does not, and that is the norm so far. Even by burning all of the Governance allocation, C.R.E.A.M. still has plenty of collected fees and tokens in the treasury. Thanks to our seed investors and their continued support and sacrifices for the project, they have agreed to a 75% burn in exchange for accelerated vesting of 1-year, monthly vesting.

We have renamed the remaining balance of the Liquidity Mining allocation to simply Treasury, which will serve to further provide incentives for two upcoming products in the pipeline and provide funding for future projects."

  • Issued 1.45 million CREAM tokens after an exploit to compensate users (14-11-2021).

Utility

  • The CREAM token allows users to lend, borrow, stake or swap assets and help govern the network, allowing them to vote on assets to support or delist (13-5-2021).

"A portion of interest as well as transaction fees are collected by the platform, and distributed to CREAM token holders as rewards."

Token Details

Coin Distribution

"FTT dominates over 50% of the total liquidity on Cream Finance. Cream governance last week voted to partially delist FTT from the platform, reducing its borrowing power, as a response."

Tech

"With 312 commits and 27 branches, C.R.E.A.M 's main smart contract repository is the cream of the crop."

Implementations

How it works

"Rather than interest rates being set by individuals, they are determined algorithmically based on the proportion of assets lent out."

"As with Compound Finance, to borrow cryptocurrency on Cream Finance you need to deposit an amount of cryptocurrency (in USD) which is greater than the amount of cryptocurrency you will be borrowing (in USD). This deposited crypto is referred to as collateral and having more money deposited than you are borrowing is referred to as overcollateralization. You are currently allowed to borrow up to 60% of the USD value of the cryptocurrency you deposited. This may change in the future as the collateralization requirement has already changed twice since the protocol was launched. This is slightly less than the 66% you are able to borrow on Compound Finance."

Staking

"CREAM tokens can be staked for a period of up to four years in order to accrue rewards; however, it is important to note that there is no admin unlock available.Therefore, you will only receive your rewards at the end of your staking period."

Liquidity Mining

"We will launch with more liquidity mining incentives, paid in CREAM tokens. Users on our platform can provide liquidity and earn CREAM tokens in addition to trading fees. Only pools from whitelisted tokens will be eligible for CREAM distributions."

  • From their blog (4-10-2020):

"We have renamed the remaining balance of the Liquidity Mining allocation to simply Treasury, which will serve to further provide incentives for two upcoming products in the pipeline and provide funding for future projects."

Scaling

Interoperability

Other Details

Oracle Method

"This protocol documents no front running mitigation techniques. However, as this is primarily a lending protocol, this does not apply. This protocol documents no flashloan countermeasures. This is alarming considered the history this protocol has with flashloan attacks."

"CREAM has completed integration with Band Protocol price oracles on Binance Smart Chain and Fantom — upgrading all lending markets to use $BAND oracles."

Privacy Method

"No personal documentation or credit checks are required to borrow cryptocurrency on Cream Finance and there is also no time limit on when you must pay back the loan."

Compliance

Their Other Projects

Coordinape

  • From their blog (15-3-2021):

"We are introducing Coordinape: a scalable and permissionless platform to decentralize operations at Yearn and help compensate contributors more effectively. Coordinape will be used to distribute community grants in a decentralized manner. Any individual who has ever received a recurring or community grant will receive an allocation of 100 GIVE tokens. These tokens can be allocated to contributors in the Yearn community to split half of the monthly community grant budget. Salaried Yearn contributors are only eligible to allocate GIVE tokens since they already receive monthly compensation."

CreamSwap

"A native AMM allowing traders to enter and exit convoluted DeFi strategies without having to unwrap, unstake and sell positions composed of numerous assets across a multitude of protocols. For example, users can go from yyCRV, a liquidity provision in Curve staked via a yEarn yVault, directly to USDC, rather than having to unstake and withdraw for ~$100 in gas.

Creamy

Cross-Protocol Flash Loans

"As it will work in Yearn Finance, strategists will have the ability to use the flash loans to optimize returns on their assets at lower costs (Yearn Finance integrates several protocols, saving users gas fees). In addition to the Ethereum ecosystem, the instant loans will also be available on Binance Smart Chain and Fantom through Cream V1."

Iron Bank

"The Iron Bank is CREAM’s paradigm-shifting protocol-to-protocol lending platform and liquidity backstop for the entire DeFi ecosystem."

"What the Iron Bank allows for is protocol to protocol zero collateral lending meaning that a protocol like yEarn or Alpha Finance can borrow assets from Cream without having to overcollateralize. This is possible because Cream can trust the the yEarn protocol itself will pay back the assets that it borrows. Of course, to make this all work requires the coordination and cooperation of the yEarn, Cream and Alpha Finance teams."

"Driven by high yields via Yearn’s use of its veCRV, the crvIB yVault reached $140M less than a month after launch."

Validator Activity

"C.R.E.A.M. makes significant revenue as a validator on BSC and Fantom. C.R.E.A.M. launched its BSC node in May and became a top five validator within a week. Not only is CREAM helping to decentralize these networks, but it’s on track to contribute more than $2M annually to C.R.E.A.M.’s treasury."

Roadmap

  • Can be found [Insert link here].
  • In the announcement of the merger with yEarn it the following was also mentioned as an update (26-11-2020):

"Cream Lending Protocol v2. A focused lending product with a shortlist of Blue Chip tokens accepted as collateral."

Usage

"In under a month since launch, Cream has aggregated more than $300M in TVL, according to DeFi Pulse, largely thanks to CREAM liquidity mining rewards. What started as a lending protocol for trendy DeFi tokens like SUSHI, yETH, and yyCRV has quickly blossomed into a vibrant market of 19 assets and counting, many of which are only available for lending on Cream."

"Driven by high yields via Yearn’s use of its veCRV, the crvIB yVault reached $140M less than a month after launch. C.R.E.A.M. volume on BSC is up 5x since year’s start (usage around October’s launch was driven by liquidity incentives). The protocol is seeing 1000s of new users on B.S.C. each week."

  • After touching a TVL high of above $800M in 2-2021, it has gone down to $328M (13-5-2021).

Projects that use or built on it

yEarn and Cream relationship

  1. "Cream & Yearn merge development resources
  2. Cream & Yearn TVL increases
  3. Yearn vault shares serve as collateral in Cream
  4. Yearn vault strategies get access to leverage through Cream
  5. Cream specializes in lending-related products
  6. Cream becomes the launchpad for Stable Credit
  7. Yearn & Cream launch a new 0 collateral protocol credit solution
  8. Pair lending" 

Competition

  • From Decrypt (30-9-2020), on how it differentiates itself from Compound:

"On CREAM, users can turn these otherwise unproductive assets into yield producing assets or collateral for leveraged trading. While technically simple, this simple change to Compound added genuine value to many users. In recent weeks, CREAM has also added Cream Swap, a fork of Balancer, and has announced plans to launch a new AMM called Creamy."

Pros and Cons

Pros

Cons

Team, Funding and Partners

Team

  • Full team can be found [here].

"SWAG’s founder is believed to be the founder of cream.finance: Jeffery Huang, who is not only a crypto OG, but also brother of a famous Taiwanese singer Stanley Huang."

"The core Cream Finance team to consist of four people: founder Jeffrey Huang and three developers with extensive computer science backgrounds, one of which has also worked on OmiseGo and Ethereum."

Funding

"With the launch of C.R.E.A.M.'s new tokenomics, $iceCream, 50% of protocol revenues are distributed to iceCream holders. Since launch (4 weeks ago), iceCream stakers have earned 239,254 yvcrvIB, ~35% APR. According to Token Terminal, the C.R.E.A.M. protocol has collected $734.3k of protocol fees over the last 30-days. Annualizing this data, puts C.R.E.A.M. on a run-rate of $8.8M of protocol fees per year."

Partners 

Retrieved from "https://cryptocurrencywiki.org/index.php?title=Cream_Finance_(CREAM)&oldid=32615"