DeFi tool Cream Finance hit for over $18 million. Suffers second hack in six months
The hacked DeFi lending protocol already suffered a bigger exploit in February this year.
Decentralized finance (DeFi) lending protocol Cream Finance has announced it lost millions worth of Amp token (AMP) and Ethereum (ETH) in a recent flash loan attack.
The attack is being investigated by a blockchain security company PeckShield that discovered the exploited vulnerability and continues monitoring the flagged address.
No other markets affected
“C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract,” announced Cream Finance earlier today on Twitter, adding that the protocol has stopped the exploit by pausing supply and borrow on Amp token and that According to the protocol, no other markets were affected.
Built on Ethereum, Amp token supports a wide variety of use cases for collateralization.
Over $18 million lost due to a reentrancy bug
According to PeckShield a reentrancy bug introduced on Amp token contract enabled the flash loan attack.
The hacker used the bug “to re-borrow assets during its transfer before updating the first borrow.”
According to the blockchain security company, the hacker repeated the malicious maneuver in 17 different transactions and exited the attack with a total of 5,980 Ethereum (ETH), worth roughly $18.8 million at the time.
2/4 The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow. pic.twitter.com/oVg0w1FWFt
— PeckShield Inc. (@peckshield) August 30, 2021
As reported by PeckShield, the stolen funds are “still parked” and the company said that it is actively monitoring the flagged address for any movement.
Second hack in six months
Chinese blockchain journalist Colin Wu, who also reported on the heist, recalled that the protocol suffered a bigger flash loan attack six months ago.
Cream Finance was founded by Taiwan entertainment star Jeffrey Huang. In February, it was attacked by a flash loan and lost 37.5 million US dollars.
— Wu Blockchain (@WuBlockchain) August 30, 2021
Together with Alpha Finance DeFi protocol, Cream Finance fell victim to a $37,5 million exploit in February this year.
The price of Amp token plunged more than 14% percent in the first hours following the exploit, but has been recovering since.
Despite general market sentiment warming up, the decentralized collateral token has been taking a beating lately, as its price fell more than 29% in the past 30 days.
The price of the Cream Finance (CREAM) governance token that dropped 6% as a result of the attack is still struggling to recover.
Meanwhile, some security and crypto experts relived the risks and concerns surrounding the nascent DeFi market: “DeFi can be hacked for two main reasons: vulnerability in the Defi smart contract code, or hacking the private key of the smart contract owner who has “superpowers” to control the protocol,” said Lior Lamesh, CEO of GK8, in a note to CryptoSlate.
He added, ” In order to prevent such attacks, financial institutions looking to offer Defi services need to do two main steps: First, reviewing the DeFi smart contract code and validate that it has no vulnerabilities. Second, protecting the smart contract owner’s private key in the highest level of security.”