By Hannah Perez
The lending protocol suffered a flash loan attack that resulted in losses of more than $25 million. Cream Finance previously fell victim to a similar hack in February.
Cream Finance, a decentralized finance (DeFi) protocol based on Binance Smart Chain
(BSC) and focused on loans, was the victim of a hack that has resulted in losses in excess of USD $20 million.
The Cream Finance developer team announced about the hack this Monday via Twitter. According to the information, the hacker reportedly took advantage of a re-entry error in the token contract for AMP, a Consensys-backed digital collateral token
listed on the platform.
“The C.R.E.A.M. v1 marketplace on Ethereum
has suffered an attack, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH through re-entry into the AMP token contract. “, they wrote and assured:
We have stopped the exploit by pausing bidding and lending on AMP. No other markets have been affected.
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
– Cream Finance ???? (@CreamdotFinance) August 30, 2021
At the time of editing this article, the loss of funds in AMP and Ethereum
cryptocurrencies totals USD $26.7 million, based on current prices.
Cream Finance suffers flash loans
According to research by Blockchain security firm, PeckShield, the unknown attacker used a flash loan before exploiting the re-entry bug. The firm, which led the initial analysis, detailed the hacker ‘s steps via a tweet
“The hacker makes a flash loan of 500 ETH and deposits the funds as collateral .Then, the hacker borrows 19M $ AMP and makes use of the re-entry error to re-borrow 355 ETH within the $ AMP token transfer. Then, the hacker autoloans the loan,” PeckShield
explained. The hacker repeated this process several times to extract the funds.
3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposits the funds as collateral. Then the hacker erases 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ
– PeckShield Inc. (@peckshield) August 30, 2021
Based on EthereumAMP is a token that is designed to secure payments on the digital payment network, Flexa. The Amp token contract implements the ERC-77-based smart contract of record, known as ERC-1820. Introduced in 2019, the ERC-1820 standard defines a universal registration contract where any address “can register which interface is supported and which smart contract is responsible for its implementation.”
The PeckShield team told Crypto Briefing media outlet about it that there could be a “risk of composability between Compound-based borrowing protocols and ERC-777-like tokens.”
As a result of the event, both AMP and Cream Finance’s native token, CREAM, experienced a notable price drop. The former has collapsed 8% in the last 24 hours, trading at USD $0.054, while CREAM is trading at USD $163, down nearly 7%.
Its second hack in 2021
The respective teams at Cream Finance and Peckshield are still investigating the attack, though they advanced that a post-mortem will be conducted soon.
This is the second time in the last six months that this DeFi platform has been hacked. In February, Cream Finance lost about USD $37.5 million in what was then labeled as one of the largest flash loan hacking attacks.
Flash loan attacks, which have become very popular this 2021, take advantage of one of DeFi’s most controversial features: loans that don’t require collateral. Flash loans are financial loans based on Blockchain where large amounts of tokens are borrowed, used for some purpose, and repaid, all in the same transaction.
The latest attack on Cream Finance comes amid a growing wave of hacks on DeFi protocols, centralized platforms and other projects in the space. Blockchain. A few weeks ago we reported that the DeFi protocol <a href=”https://www.diariobitcoin.com/negocios/verticales/seguridad/poly-network-ofrece-a-hacker-puesto-como-advisor-head-of-security/” target=”_blank” rel=”noopener”>PolyNetwork was hacked for USD $600 million. Also the exchange centralized Liquid Global suffered an attack recently with losses estimated at USD $90 million.
Version by Hannah Estefania Perez / DiarioBitcoin
Image from Unsplash