Cream Finance hit by a 2nd attack in 6 months
The last few weeks have been a fruitful time for attackers of decentralized finance (DeFi) protocols. The Cream Finance lending and borrowing protocol has just suffered a major attack encrypted at several million dollars.
According to the Cream Finance team, the attacker who exploited the flaw took nearly 418 million AMP tokens and 1,308 Ethers (ETH). At the time of the attack, the total amount recovered by the hacker was nearly $25.7 million. The Ethereum address identified as belonging to the hacker currently has $18.8 million.
To prevent further losses, the Cream Finance team has suspended all AMP token-specific functionality. It also states that other markets on the platform are not affected.
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
– Cream Finance (@CreamdotFinance) August 30, 2021
According to experts at PeckShield, a company specializing in crypto-security, the attacker managed to make a ” flash loan ” of 500 ETH, which were used to exploit a bug in the smart contract of Ampleforth and steal AMP tokens. As a reminder, flash loans are under-collateralized loans that are borrowed and repaid within the same transaction.
Specifically, the attack deposited ETH as collateral in the protocol, to borrow $19 million worth of AMP and use a reentrance bug to re-borrow 355 ETH with a smart contract feature. By repeating the operation 17 times, the attacker managed to accumulate a jackpot of 5,980 Ethers.
– PeckShield Inc. (@peckshield) August 30, 2021
This is not the first time that Cream Finance has been hit by such a major attack. Last February, the protocol also suffered a flash-loan attack and had the equivalent of $37.5 million in cryptocurrencies stolen.
Attacks against DeFi protocols are still as common as ever. Whether on Ethereum, Binance Smart Chain or other blockchains that are starting to develop a large ecosystem of applications, the risk is still as present as ever, and this despite the many security audits performed by specialized companies.
About the author : Clément Wardzala
Editor-in-Chief of Cryptoast, I discovered Bitcoin and blockchain technology in 2017. Since then, I’ve been striving to share qualitative content to make the industry more democratic for everyone.
All articles by Clement Wardzala.