Overview
Cream Finance launched in 2020 as a fork of Compound, initially operating on Ethereum and later expanding to BNB Chain, Fantom, Arbitrum, and Polygon. Cream differentiated itself from Compound and Aave by listing a wide range of assets as collateral — including yield-bearing tokens, LP tokens, and long-tail DeFi tokens that more conservative protocols refused to list. This permissive listing strategy attracted users seeking leverage on exotic DeFi positions.
The strategy proved catastrophic. In 2021, Cream suffered three major exploits:
- February 2021: ~$37.5 million flash loan exploit targeting AMP token collateral
- August 2021: ~$18.8 million exploit
- October 2021: ~$130 million flash loan exploit — one of the largest DeFi hacks at the time
The cumulative losses exceeded $150 million, devastating depositors and effectively destroying the protocol's viability. The October 2021 attack was particularly brutal — a sophisticated flash loan attack exploited Cream's listing of yield-bearing tokens as collateral, using price manipulation to drain the protocol's lending pools.
Cream Finance continues to exist technically but is functionally dead as a meaningful lending platform. Its TVL has collapsed to negligible levels, and no rational actor should trust remaining funds to the protocol. Cream's story is one of DeFi's most important lessons about the catastrophic consequences of poor risk management.
Smart Contracts
Compound Fork
Cream's core contracts are a fork of Compound V2, one of the most audited and battle-tested DeFi codebases. The irony is that Compound's contracts themselves are secure — Cream's failures were not in the base code but in how the protocol configured and extended it. By listing dozens of risky, complex tokens as collateral in a shared-pool system, Cream created attack surfaces that the original Compound design was not intended to handle.
Dangerous Collateral Listings
Cream's fatal decision was listing yield-bearing tokens, LP tokens, and obscure DeFi tokens as collateral. These assets have complex price dynamics, recursive dependencies, and thin liquidity — making them vulnerable to price manipulation. In a shared-pool system where all assets share the same risk pool, one manipulable collateral type endangers every depositor.
Iron Bank
Cream also operated "Iron Bank," a protocol-to-protocol lending facility that allowed whitelisted protocols to borrow without collateral. This concept (inspired by Yearn collaboration) introduced additional trust assumptions and contributed to cascading risks when exploits occurred.
Security
Catastrophic Failure
Cream's security record is one of the worst in DeFi history. Three major exploits in a single year, totaling $150M+ in losses, represents a complete failure of security practices:
February 2021 (~$37.5M): A flash loan attack exploited the AMP token's ERC-777 callback mechanism to create a reentrancy-like vulnerability in Cream's AMP market. The attacker repeatedly borrowed and re-entered during the callback, draining funds before the accounting updated.
August 2021 (~$18.8M): Another flash loan attack targeting Cream's lending pools.
October 2021 (~$130M): The devastating final blow. The attacker exploited Cream's listing of crYUSD (a yield-bearing Cream token) as collateral. Through a complex series of flash loans and self-referential token minting, the attacker artificially inflated the value of crYUSD, used it as collateral to borrow real assets, and drained the protocol. The attack exploited the fundamental danger of listing recursive yield tokens as collateral.
Root Cause Analysis
Every Cream exploit shared a common root cause: listing complex, manipulable assets as collateral in a shared-pool system. Compound and Aave avoided these exploits by maintaining strict, conservative collateral listing policies. Cream's aggressive listing strategy was not innovative risk tolerance — it was negligence.
No Recovery
Unlike some exploited protocols that have rebuilt (like Euler), Cream has not recovered. The protocol has not meaningfully addressed its systemic risk management failures, and the trust deficit is irreparable.
Risk Management
Total Failure
Cream's risk management deserves the lowest possible score. Every design decision compounded risk:
- Shared-pool architecture with exotic collateral: The combination of shared-pool risk (where one bad asset endangers all) with permissive listing of manipulable tokens created a ticking time bomb.
- Insufficient collateral analysis: Complex yield-bearing tokens were listed without adequate analysis of their manipulation vectors, price oracle reliability, or recursive dependencies.
- No circuit breakers: The protocol lacked effective supply caps, borrow limits, or automatic pausing mechanisms that could have limited exploit damage.
- Repeated failure to learn: After the February 2021 exploit, Cream did not implement sufficient changes to prevent the August and October attacks. Three exploits in eight months suggests systemic risk management failure, not isolated incidents.
Industry Impact
Cream's failures contributed directly to the industry's improved understanding of lending protocol risk management. Aave's conservative listing process, Compound's gradual addition of assets, and the development of isolated lending protocols (Silo, Morpho) were all influenced by Cream's catastrophic example.
Adoption
Effectively Dead
Cream's TVL has collapsed to negligible levels. No significant DeFi user or protocol actively uses Cream for lending. The protocol exists on-chain but serves no meaningful purpose. Any remaining deposits should be withdrawn immediately.
Historical Peak
At its peak in early 2021, Cream had over $1.5 billion in TVL — demonstrating that reckless strategies can attract capital in bull markets before the inevitable collapse. The complete destruction of that TVL is a testament to how quickly trust can evaporate in DeFi.
Legacy
Cream's primary legacy is educational. It is the case study most cited in DeFi risk management discussions, the example that security researchers use to illustrate the dangers of shared-pool lending with exotic collateral.
Tokenomics
CREAM Token
The CREAM token has collapsed in value, reflecting the protocol's destruction. Trading volume is thin and speculative. The token retains no meaningful utility given the protocol's effective death.
Worthless Governance
CREAM governance controls a protocol with no meaningful TVL or usage. Governance power over nothing is worth nothing.
Risk Factors
- PROTOCOL IS EFFECTIVELY DEAD. Do not deposit funds.
- $150M+ in historical losses across three major exploits in 2021.
- No meaningful recovery or risk management improvements implemented.
- Negligible TVL and activity — the protocol serves no functional purpose.
- CREAM token is effectively worthless with no revenue, utility, or governance value.
- Smart contract risk — remaining contracts have received no meaningful maintenance.
- Any interaction with Cream carries extreme risk with zero rational reward.
Conclusion
Cream Finance is DeFi's most important cautionary tale. The protocol demonstrated, with $150 million in user losses, exactly what happens when a lending protocol lists exotic, manipulable collateral in a shared-pool system without adequate risk controls. The three exploits in 2021 were not bad luck — they were the predictable consequence of reckless risk management.
The 1.8 overall score — one of the lowest possible — reflects a protocol that failed catastrophically and has not recovered. The security score of 1 and risk management score of 1 reflect the severity of the failures. Any remaining interaction with Cream Finance carries extreme, unjustifiable risk. The protocol's value lies entirely in its lessons: conservative collateral listing saves lives, isolated risk markets prevent contagion, and aggressive DeFi strategies can destroy hundreds of millions in weeks.
Do not use Cream Finance. Study it.