Lending and borrowing platform Cream Finance has been involved in a large, multi-million dollar exploit. The attacker has made off with more than 418 million in Flexa Network’s native token, AMP, and 1,308 Ethereum.
The total sum amounts to $25,678,948, but the price of AMP has already fallen more than 15% at press time, according to CoinGecko. Cream Finance’s native CREAM token is also down nearly 6%.
The attacker’s address indicates that they currently have $18.8 million.
The Cream Finance team has stopped further losses by “pausing supply and borrow on AMP,” adding that “no other markets were affected.”
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
— Cream Finance
(@CreamdotFinance) August 30, 2021
PeckShield, a crypto-security firm, explained that the hacker was able to make a 500 Ethereum flash loan which was used to exploit a “reentrancy bug” that was made available after Cream integrated the AMP token. Flash loans are undercollateralized loans that are borrowed and returned within the same transaction.
Because AMP tokens are ERC-777 standard rather than the more common ERC-20, AMP’s token contract uses a slightly different code, according to a post-mortem of the attack.
3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ
— PeckShield Inc. (@peckshield) August 30, 2021
Cream Finance is a decentralized finance (DeFi) platform that lets users earn interest on their idle cryptocurrencies. Unlike Platforms like Aave or Compound, Cream has many more markets for many more esoteric cryptocurrencies. Cream is a fork of the Compound code base.
In February this year, Cream was involved in another hack. At that time, an exploit of Alpha Finance was the root cause of the attack, which ultimately resulted in the loss of $37.5 million.
Cream Finance joins list of DeFi hacks
The emergent DeFi space has made headline after headline following major exploits similar to today. Earlier this month, blockchain analytics company CipherTrace reported that a total of $474 million had been lost via DeFi hacks and fraud.
Hours after that report emerged, Poly Network, an interoperability protocol meant to bridge Ethereum, Polygon, and Binance Smart Chain, suffered a record-breaking hack of $600.3 million.
Despite these heady figures, the exploits continue to roll in. “The crux of the problem lies not in platforms giving out the flash loans,” wrote CipherTrace in their report, “but the unaudited smart contracts the loans are sent to and exploited.”
Editor’s Note [August 30, 2021, at 4:45 am EST]: This article has been updated to show that Flexa Network’s native token, AMP, was involved in the exploit, not Ampleforth’s token AMPL.
Editor’s Note [September 1, 2021, at 8 am EST]: This article has been updated to make clearer that the exploit was due to the way the AMP token was integrated with Cream Finance rather than a bug in the Flexa Network.
