This article is the response to the CREAM exploit this week, in which Gro Vault users lost a portion of funds. While Gro protocol worked as expected, and PWRD users are unaffected, this is a tough moment and many of us have suffered personal losses in this hack. The core team is working hard to recover all funds possible and we are grateful for all the community support we have received.
Summary
On Oct Wednesday 27th, CREAM finance was hacked and lost ~$130mn. Unfortunately, Gro protocol had 2 of its 7 strategies allocated into CREAM at the time of attack, totalling $9.24mn. The diversified portfolio of the protocol means only 14.9% of total TVL was impacted. The risk tranching protection means the losses were completely covered by Vault so that PWRD could remain unaffected. This resulted in a 21.97% write down for Vault value. PWRD value, together with the ability to redeem or transfer, remained unaffected at all times.
The core team is pursuing various ways to recover funds from CREAM but there is nothing to share yet. Once this is clear, Gro will explore compensation options for users, including a proposal to compensate remaining Vault users who were affected by front-running of Vault exits.
After the exploit, concerns have been raised that CREAM is an unreliable protocol given previous exploits to the platform. CREAM has been fully removed from the strategy portfolio and the core team is accelerating and formalising the DAO’s influence on protocol & strategy selection to ensure it’s fully informed by the broad expertise that now exists within Gro DAO. Besides DAO involvement in strategy development, the core team is also accelerating several other initiatives to strengthen the security of Gro.
Timeline of Events
Key observations
- Gro protocol worked as expected, with PWRD unaffected throughout.
- Because the CREAM losses were not realised on CREAM’s side, Gro protocol could not automatically account for the loss, and required manual intervention to assess and realise it.
- Before the loss was realised, some Vault users withdrew their funds quickly, to avoid sharing the Vault downside.
- The core team took action to prevent further front-running as described in the timeline above. The value of the funds withdrawn from the app in this time period was $2.95m.
- Gro will create a proposal to compensate remaining GVT users who were negatively affected by this.
Looking forward
This is a tough moment and many of us have suffered personal losses in this hack, but we continue to move forward and improve. The primary focus right now is on (1) fund recovery, and (2) learnings and improvements.
(1) Fund recovery
We hope that at least a portion of funds will be recovered from CREAM and working hard to ensure this is the case. This could either be in the form of money flowing back into the Vault (e.g. from CREAM borrower repayments), or from the CREAM protocol reserves.
The form of restitution depend on how recoveries from CREAM are distributed:
- Any funds recovered directly from the strategies (e.g. from CREAM borrower repayments) have to go through the protocol as increased yield. The team does not have the ability to redistribute or redirect these funds due to the trustless nature of the protocol.
- Any funds recovered as an airdrop or other form of restitution from CREAM protocol itself would go to Gro protocol, who could then choose how to distribute these funds.
In addition, Gro could propose other forms of restitution for users (e.g. from Gro DAO). In particular, Gro will create a proposal to compensate remaining GVT users who were negatively affected by front-running of other Vault users.
(2) Learnings and improvements for Gro
We will examine the following three areas over the coming days and weeks:
- Yield strategy decisions
- Profit sharing between PWRD and Vault
- Enhanced security reviews for Gro protocol
Yield strategy decisions
Gro strategies have been clearly communicated to users on the app dashboard, including the exposure to CREAM. CREAM has had several audits from reputable firms, and is based on a battle tested codebase (Compound). However there have also been exploits of the protocol already this year, and in hindsight this should have been given more weight when selecting strategies.
As Gro has now transitioned into a DAO, strategy selection will become part of the public discussion.
Profit sharing between PWRD and Vault
Although the protocol worked as designed to protect PWRD deposits from losses, we have received very thoughtful feedback from the community that the profit sharing ratio between PWRD and Vault may not accurately reflect the different levels of risk that each party is taking. We are considering how to change this through a max cap on the PWRD APY which will increase Vault APY.
Enhanced security reviews for Gro protocol
Although the hack was on CREAM and not Gro protocol, it’s a timely reminder of the continued importance of security, especially as Gro TVL has increased significantly in the last month.
We are examining several options such as the following — and welcome any suggestions in hardening our protocol security.
- Increasing Immunefi bounty size (currently at $60k)
- Booking in a fourth audit of Gro protocol with Trail of Bits
Next steps
These topics will be addressed separately in the Gro community forum with various discussions and proposals. We encourage all DAO members to be a part of the debate, as well as to suggest if there are other areas that need reflection.
Once again we are grateful for the community support over what has been a tough 24hrs for all of us 💜
Timeline hyperlink references
- CREAM exploit took place (transaction)
- The community and team saw messages on twitter and in the Gro discord #general-chat channel that suggested there was a potential attack on CREAM
- CREAM announced that they were investigating the exploit but did not realise losses.
- Gro core team announced the temporary measures in discord and telegram
- Gro core team announced that the protocol had written down the CREAM strategies and resumed deposit & withdrawal functions
