In the latest in the ongoing string of attacks on the DeFi sector, decentralised finance company Cream Finance hacked to the tune of over 25 Million USD.
Blockchain security company Peckshield reported the Cream Finance Hack on August 30 2021, saying the attack was a form of a 500ETH flash loan, which was used to exploit a bug in the smart contract of the Flex Network. Normally, loans which are under-collateralized can be borrowed and repaid in a single transaction.
Peckshied said The hack was made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow. Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow.
1/4 @CreamFinance was exploited in (one hack tx: https://t.co/JPW7e368qd), leading to the gain of ~$18.8M for the hacker.
— PeckShield Inc. (@peckshield) August 30, 2021
Cream Finance Hack confirmed – protocols in place to prevent further loss
The Cream Finance Hack was confirmed by the company, which also reported working with Peckshield on their Discord channel. The team said the hack was conducted on the CREAM v1 market on the Ethereum blockchain. Following the attack, the price of the AMP slipped 15% within a few hours, whilst the CREAM token sank around 6%.
The Cream Finance Hack is the latest attack on the growing DeFi sector, following attacks on the Poly Network, as well as Iron Finance and the Neko Network which we reported on previously which have all seen funds stolen in the last couple of months.
The Cream Finance team say they have now put protocols in place to prevent further losses, with a pause on AMP’s supply and borrowing. This isn’t the first Cream Finance Hack this year, with a huge attack earlier in the year seeing a loss of over $37.5M of digital assets.