​​Cream Finance DeFi platform loses $19M in a flash loan hack

Published at: Aug. 30, 2021

Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform.

An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield.

Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated.

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance (@CreamdotFinance) August 30, 2021

PeckShield specified that the hacker exploited the Amp token by reborrowing assets during its transfer before updating the first to borrow in 17 separate transactions. Providing an example transaction, the security firm stated, “The hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer. Then the hacker self-liquidates the borrow.”

“The funds are still parked in 0xCE1F….6EDE. We are actively monitoring this address for any movement,” PeckShield added, providing the hacker’s address.

Amp is an Ethereum-based token that is designed to collateralize payments on the digital payments network Flexa. The Amp token contract implements ERC-77-based registry smart contract known as ERC-1820. Introduced in 2019, the ERC-1820 standard defines a universal registry smart contract where any address “can register which interface it supports and which smart contract is responsible for its implementation.”

Related: Beleaguered DeFi project xToken suffers second major exploit since May

Following the attack, both the Amp token and Cream Finance’s native token, CREAM, saw a notable price drop, with Amp plummeting nearly 13% over the past 24 hours. At the time of writing, the Amp token is trading at $0.051908, while the CREAM token is trading at $167, down around 5% over the past 24 hours, according to data from CoinGecko.

As previously reported by Cointelegraph, DeFi product Alpha Homora in February suffered a $37-million hack, which exploited Cream’s Iron Bank protocol-to-protocol lending platform.

The latest flash loan exploit comes amid the increasing amount of hacks and exploits among both centralized and decentralized cryptocurrency platforms. On Saturday, Bilaxy crypto exchange suffered a major hot wallet hack leading to 295 ERC-20 tokens being compromised. Liquid lost nearly $100 million in a hack that took place on Aug 19.

Tags
Related Posts
Cream Finance to repay stolen Ether and Amp via protocol fees
Decentralized finance (DeFi) protocol Cream Finance will pay back its users following a $18.8 million flash loan hack that occurred on Aug. 30. Cream has published a post-mortem to the AMP flash loan exploit, promising to replace the stolen Ether (ETH) and Amp (AMP) tokens by allocating 20% of all protocol fees until the debt is paid entirely. Cream will also post collateral with relevant parties at AMP and its creators, Flexa digital payments network, to secure the debt. According to the post-mortem report, the latest flash loan exploit was the first time Cream Finance has suffered a direct exploit, …
Decentralization / Sept. 1, 2021
The perfect storm: DeFi hacks will advance the crypto sector moving forward
The rise of decentralized finance, or DeFi, could be paving the way toward a fully decentralized financial ecosystem. Yet, given the innovative nature of DeFi, the sector remains in constant development and is therefore prone to a number of vulnerabilities. Unsurprisingly, one of the biggest challenges currently facing the DeFi sector is security threats. This has become apparent as more DeFi hacks continue to wreak havoc across the crypto community. Most recently, the largest DeFi hack within the crypto industry took place. The Poly Network hack resulted in over $600 million dollars removed, and then returned, from Binance Chain, Ethereum …
Decentralization / Aug. 17, 2021
Poly Network hacker appears ready to return stolen funds
Following a massive $600-million exploit of cross-chain protocol Poly Network, the Poly Network hacker has claimed his willingness to return the stolen cryptocurrency funds. At about 4:00 am UTC on Wednesday, the hacker sent an Ethereum transaction to themselves, stating that they were “ready to return the fund” in an embedded transaction message. In a subsequent message, the hacker asked for a multisig wallet address to return the funds to Poly Network. “Failed to contact the poly. I need a secured multisig wallet from you,” the hacker noted. Poly Network’s Twitter account posted an update on Wednesday, providing three separate …
Decentralization / Aug. 11, 2021
The radical need for updating blockchain security protocols
Decentralized finance (DeFi) is here to stay with over $100 billion in total value locked (TVL), highlighting the evidence of faith in these new financial tools. This investment will continue to increase, but it appears that with each new record in TVL, there is another network attack being reported with astronomical losses. Crypto crime dropped 57% in 2020, but DeFi hacks surged, costing companies and investors billions of U.S. dollars. In March alone, there were several attacks within just a five-day period, with Paid Network losing $180 million. Later in May, PancakeBunny lost more than $200 million in a flash …
Decentralization / June 25, 2021
Cream Finance launches $1.5M bug bounty to improve DeFi security
Decentralized lending protocol Cream Finance is backing another major effort to improve the security of decentralized finance. On Tuesday, Cream Finance announced a new security campaign in collaboration with several DeFi platforms like Immunefi, Armor and DeFiSafety to bring stronger security to its protocol and the wider DeFi ecosystem. As part of the campaign, Cream Finance is launching a $1.5 million bug bounty program with blockchain bounty platform Immunefi to strengthen Cream’s protocol, API and website security. The new bug bounty will focus on Cream Finance’s smart contracts and the prevention of potential exploits against user funds, assets and data …
Decentralization / April 20, 2021