- Cream Finance was hacked for $130 million this week.
- Yearn developers have suggested Aave has the same vulnerability.
Dodgers and Giants. India and Pakistan. Vin Diesel and The Rock.
Time to add another rivalry to the list: Aave and Yearn.
Earlier this week, Cream Finance—an -based lending protocol— suffered its third attack this year as hackers made off with a cool $130 million. Now, people are starting to point fingers. In a Thursday article, DeFi publication Rekt suggested that Yearn Finance, an ever-expanding set of decentralized lending and trading protocols that began integrating with Cream last year even as it merged with Pickle Finance and pursued other ventures, should bear the blame: "The Yearn Finance decentralised monopoly has grown too large, and its operators; [sic] too careless. Why accumulate so many protocols if you don’t care for their users?"
The war of words is spilling out onto Twitter, where thinly veiled subtweets from prominent Aave contributors abounded.
So, what's this all about? And what's it got to do with Aave, a totally different lending protocol with similar services?
Yearn Finance and Cream Finance, which was forked from Compound, share a connection via the two developer teams, and the projects share integrations, such as the Iron Bank. Some Aave community members, meanwhile, have suspected Yearn developers of forking Aave to their own ends. So when details of the $130 million hack broke, some Aave community members took the opportunity to throw shade not at Cream, but at Yearn, which has a wide reach.
Banteg, one of the most prominent Yearn developers, took issue with that. “Maybe don't bad mouth other projects while sitting on an 11 figure vulnerability,” he tweeted. (Banteg has yet to respond to a Decrypt request for comment.)
Banteg’s tweet followed one from Yearn founder Andre Cronje today: “Aave core after 24 hour defamation marathon on yearn for cream being exploited, while Aave is vulnerable to the same exploit.”
Such rumors likely prompted Tron founder Justin Sun to pull billions of dollars in crypto out of his Aave liquidity holdings today.
Yet that exploit information wasn’t fully public; it was the type of intel sharing the Soviets and Americans might have done through backchannels during the Cold War. Now, if such a vulnerability exists, it’s out in the open, leaving Aave exposed. The protocol’s users are now voting on a governance proposal to temporarily freeze or disable features that could lead to the same exploit that affected Cream. The proposal calls the measures "precautionary."
Stani Kulechov, founder of Aave, told Decrypt that he doesn’t see any bad blood between the two projects. He added, however, “We build together but it’s always tricky once everyone is looking at their own communities.”
The string of exploits has prevented CREAM from rising to the top of decentralized finance. And while DeFi degens aren't often ones to cry over spilt milk, they will argue about who spilt it.