DeFi tool Cream Finance hit for over $18 million. Suffers second hack in six months DeFi tool Cream Finance hit for over $18 million. Suffers second hack in six months
🚨 This article is 3 years old...

DeFi tool Cream Finance hit for over $18 million. Suffers second hack in six months

The hacked DeFi lending protocol already suffered a bigger exploit in February this year.

DeFi tool Cream Finance hit for over $18 million. Suffers second hack in six months

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

Decentralized finance (DeFi) lending protocol Cream Finance has announced it lost millions worth of Amp token (AMP) and Ethereum (ETH) in a recent flash loan attack.

The attack is being investigated by a blockchain security company PeckShield that discovered the exploited vulnerability and continues monitoring the flagged address.

No other markets affected

“C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract,” announced Cream Finance earlier today on Twitter, adding that the protocol has stopped the exploit by pausing supply and borrow on Amp token and that According to the protocol, no other markets were affected.

Built on Ethereum, Amp token supports a wide variety of use cases for collateralization.

Over $18 million lost due to a reentrancy bug

According to PeckShield a reentrancy bug introduced on Amp token contract enabled the flash loan attack.

The hacker used the bug “to re-borrow assets during its transfer before updating the first borrow.”

According to the blockchain security company, the hacker repeated the malicious maneuver in 17 different transactions and exited the attack with a total of 5,980 Ethereum (ETH), worth roughly $18.8 million at the time.

As reported by PeckShield, the stolen funds are “still parked” and the company said that it is actively monitoring the flagged address for any movement.

Second hack in six months

Chinese blockchain journalist Colin Wu, who also reported on the heist, recalled that the protocol suffered a bigger flash loan attack six months ago.

Together with Alpha Finance DeFi protocol, Cream Finance fell victim to a $37,5 million exploit in February this year.

The price of Amp token plunged more than 14% percent in the first hours following the exploit, but has been recovering since.

Image via TradingView.

Despite general market sentiment warming up, the decentralized collateral token has been taking a beating lately, as its price fell more than 29% in the past 30 days.

The price of the Cream Finance (CREAM) governance token that dropped 6% as a result of the attack is still struggling to recover. 

Image via TradingView.

Meanwhile, some security and crypto experts relived the risks and concerns surrounding the nascent DeFi market: “DeFi can be hacked for two main reasons: vulnerability in the Defi smart contract code, or hacking the private key of the smart contract owner who has “superpowers” to control the protocol,” said Lior Lamesh, CEO of GK8, in a note to CryptoSlate.

He added, ” In order to prevent such attacks, financial institutions looking to offer Defi services need to do two main steps: First, reviewing the DeFi smart contract code and validate that it has no vulnerabilities. Second, protecting the smart contract owner’s private key in the highest level of security.”

Mentioned in this article
Posted In: DeFi, Hacks