CREAM Exploit Restitution Proposal

On October 27th, the CREAM Finance platform was exploited for $130m in various assets, including Keep3r.

This proposal is aimed to provide aid to the victims of the exploit who were in possession of Keep3r tokens on CREAM. A few of the victims are long time supporters of the Keep3r protocol, and have been involved with the project since its inception. At the time of this post, the reimbursement provided by the CREAM team is less than 1/20th of the value of the Keep3r tokens lost. The CREAM team has no plans to restore the Ethereum v1 CREAM markets.

About 2000 Keep3r tokens were supplied on the CREAM platform at the time of the exploit. 871.599 tokens were stolen by the exploiter. The remaining tokens were loaned out at the time of the attack, and will not be returned, as the Ethereum lending market is no longer in operation.

Should the Keep3r community vote in favor of this proposal, KP3R tokens will be minted and proportionally divided between the Keep3r holders who were victims of the exploit (taking into account the amount of Keep3r tokens supplied as well as borrowing limit used). The CREAM repayment may also be deducted before restitution is distributed.

Tokens may also be vested over four years as vKP3R, should the community deem it necessary. Some options of how to proceed have been presented below:

  1. Mint and distribute the full amount of Keep3r tokens lost (taken by exploiter + withdrawn by borrowers)
  2. Mint and distribute the amount of Keep3r tokens stolen by exploiter
  3. Mint and distribute the full amount of Keep3r tokens lost as vKp3r, vested over 4 years
  4. Mint and distribute the amount of Keep3r tokens stolen by exploiter as vKp3r, vested over 4 years
  5. Mint and distribute a different amount
  6. Do nothing
1 Like

I support this proposal. The amount of kp3r tokens misplaced (~2k) is about 0.75% of the total circulating amount of kp3r. Such a small amount being minted, I feel at least, would have minimal impact on the protocol as a whole but would be a significant windfall for the token holders who lost their holdings. I’m not entirely sure which option is most appropriate, and would be interested to hear the thoughts from members of the community. I will add that I am in support of either straight up kp3r being minted or vkp3r (or a mix of both?), as I think either approach achieves the same effect.

I’m curious to know, should this proposal succeed and some form of compensation is agreed upon for the impacted users, when exactly the snapshot would take place? I would assume the block(s) immediately after the attacker drained the funds from the cream lending market.

An additional option may be to allocate some of the minted tokens to the kp3r treasury so that everyone, even members of the community not directly impacted by the exploit, will be the beneficiary of the minting of the tokens. e.g. Community decides to mint 2k tokens and distribute to kp3r holders impacted by the exploit, but 10% of these tokens will be sent to the kp3r treasury, meaning the remaining 1800 are left for distribution. Just an idea.

1 Like
  1. Do nothing.

Actually there shouldn’t even be a vote for this.

Proposals should benefit the ecosystem of Keep3r, not for specific token holders.

The Fed prints money for the benefit of the whole country.

If Bob has $10m savings in a bank and the bank was robbed.
Bob lost 0.00000x of total circulating supply of USD. It’s a really small portion. Bob asks the Fed to print money for him. Does that make sense?

If this was passed, it will not only make huge threat to Keep3r, but also whole #DeFi ecosystem.

It will be very unlikely for $KP3R to survive. Holders will be scared to hold & be dilluted without a proper reason.
People will not be buying insurance, $NXM dies.
#DeFi suffers too.

As Najia said in Discord, “Invest at your own risk, if you have nice % apr it is because it is risky …”

Others have locked their tokens to earn by giving up liquidity.

You earn interest without giving up liquidity, but should bear the risks from the lending platform.


I am against this proposal, as it sets a bad precedent for accountability of those who are exploited/where the exploit happens. It was not a vulnerability of the kp3r itself but a third party. what do you propose if something similar happens in the future? It is like asking a bystander of a car accident for partial compensation as you both use the same public infrastructure. The fault lies within cream/users as both know the risks involved and part-take with speculation of future gains.
I am sorry for what has happened but this isn’t the right avenue to go about this. Proposals in my mind are there to benefit the protocol/project and ecosystem this does neither. If you want to start a petition with CREAM to receive a better outcome. I am more than willing to help


Both @0xSato and @gibooo make valid points. In fact, there was a time when I would wholeheartedly agree with their sentiment. But consider this: Why is this the accepted sentiment? If something can be done to help one another, should we not entertain that idea? I was drawn to DeFi because it seemed obvious to me that the mentality of DeFi participants is different to that of our TradFi counterparts, yet I consistently see the same selfishness that dominates TradFi leak into DeFi, and it’s disappointing. We are better than this. There is more than enough pie for everyone to get a slice, but we are conditioned to believe that once you have your slice you must hold onto it for dear life, as every man and dog will come after you and rip it out of your hands. I disagree with the notion that passing this proposal with any options 1 to 5, would be harmful to KP3R. I believe it will have the opposite effect, and demonstrate that this protocol aims to be different.

So just to be clear, I am not saying @0xSato or @gibooo are being selfish, I just disagree with the idea that such a proposal would destroy the protocol, and that furthermore, accountability must be placed squarely on users. With that mentality, no one should use DeFi or any of these protocols. CREAM was the target this time. Unfortunately it will not be the last protocol to experience such a vulnerability. We have an opportunity to set the tone for vulnerabilities moving forward.