​​Cream Finance DeFi platform loses $19M in a flash loan hack

Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform.

An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield.

Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated.

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance (@CreamdotFinance) August 30, 2021

PeckShield specified that the hacker exploited the Amp token by reborrowing assets during its transfer before updating the first to borrow in 17 separate transactions. Providing an example transaction, the security firm stated, “The hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer. Then the hacker self-liquidates the borrow.”

“The funds are still parked in 0xCE1F….6EDE. We are actively monitoring this address for any movement,” PeckShield added, providing the hacker’s address.

Amp is an Ethereum-based token that is designed to collateralize payments on the digital payments network Flexa. The Amp token contract implements ERC-77-based registry smart contract known as ERC-1820. Introduced in 2019, the ERC-1820 standard defines a universal registry smart contract where any address “can register which interface it supports and which smart contract is responsible for its implementation.”

Related: Beleaguered DeFi project xToken suffers second major exploit since May

Following the attack, both the Amp token and Cream Finance’s native token, CREAM, saw a notable price drop, with Amp plummeting nearly 13% over the past 24 hours. At the time of writing, the Amp token is trading at $0.051908, while the CREAM token is trading at $167, down around 5% over the past 24 hours, according to data from CoinGecko.

As previously reported by Cointelegraph, DeFi product Alpha Homora in February suffered a $37-million hack, which exploited Cream’s Iron Bank protocol-to-protocol lending platform.

The latest flash loan exploit comes amid the increasing amount of hacks and exploits among both centralized and decentralized cryptocurrency platforms. On Saturday, Bilaxy crypto exchange suffered a major hot wallet hack leading to 295 ERC-20 tokens being compromised. Liquid lost nearly $100 million in a hack that took place on Aug 19.

Cream Finance to repay stolen Ether and Amp via protocol fees   Sept. 1, 2021
The perfect storm: DeFi hacks will advance the crypto sector moving forward   Aug. 17, 2021
Poly Network hacker appears ready to return stolen funds   Aug. 11, 2021
The radical need for updating blockchain security protocols   June 25, 2021
Cream Finance launches $1.5M bug bounty to improve DeFi security   April 20, 2021