You are currently viewing DeFi Project Cream Finance Involved in $25M Flash Loan Exploit

Lending and borrowing platform Cream Finance has been involved in a large, multi-million dollar exploit. The attacker has made off with more than 418 million in Flexa Network’s native token, AMP, and 1,308 Ethereum

The total sum amounts to $25,678,948, but the price of AMP has already fallen more than 15% at press time, according to CoinGecko. Cream Finance’s native CREAM token is also down nearly 6%

The attacker’s address indicates that they currently have $18.8 million. 

The Cream Finance team has stopped further losses by “pausing supply and borrow on AMP,” adding that “no other markets were affected.” 

PeckShield, a crypto-security firm, explained that the hacker was able to make a 500 Ethereum flash loan which was used to exploit a “reentrancy bug” found in the Flex Network smart contract. Flash loans are undercollateralized loans that are borrowed and returned within the same transaction.

Cream Finance is a decentralized finance (DeFi) platform that lets users earn interest on their idle cryptocurrencies. Unlike Platforms like Aave or Compound, Cream has many more markets for many more esoteric cryptocurrencies. Cream is a fork of the Compound code base. 

In February this year, Cream was involved in another hack. At that time, an exploit of Alpha Finance was the root cause of the attack, which ultimately resulted in the loss of $37.5 million.

Cream Finance joins list of DeFi hacks

The emergent DeFi space has made headline after headline following major exploits similar to today. Earlier this month, blockchain analytics company CipherTrace reported that a total of $474 million had been lost via DeFi hacks and fraud.

Hours after that report emerged, Poly Network, an interoperability protocol meant to bridge Ethereum, Polygon, and Binance Smart Chain, suffered a record-breaking hack of $600.3 million.

What The Poly Network Hack Reveals About DeFi

Despite these heady figures, the exploits continue to roll in.  “The crux of the problem lies not in platforms giving out the flash loans,” wrote CipherTrace in their report, “but the unaudited smart contracts the loans are sent to and exploited.”

Editor’s Note [August 30, 2021, at 4:45 am EST]: This article has been updated to show that Flexa Network’s native token, AMP, was involved in the exploit, not Amplforth’s token AMPL.