Arabic AR Chinese (Simplified) ZH-CN English EN French FR German DE Japanese JA Portuguese PT Russian RU Spanish ES Turkish TR
Connect with us

Hi, what are you looking for?

Cryptocurrency

Cream Finance exploited in 18.8 million flash loan attack

Decentralized finance (DeFi) lending protocol Cream Finance suffered an exploit Monday when a hacker utilized a weakness in the $AMP token contract to level a flash loan attack — resulting in $18.8 million stolen.

The protocol notified the community this morning that 418,311,571 in AMP and 1,308.09 ETH were lost in the attack. For the time being, AMP supply and borrow have been paused. The team has not responded to a request for comment on the findings of the ongoing investigation or the timing of when AMP lending will resume.

A post-mortem analysis from blockchain analysis firm PeckShield is in the works, according to Cream. PeckShield has tweeted some of its findings thus far, although it remains unclear if a formal post-mortem will be published in tandem with Cream. 

According to PeckShield, the $AMP contract introduced a reentrancy bug allowing for a flash loan attack. These types of attacks enable hackers to continue to borrow assets with minimal collateral since they can continue to re-borrow funds as long as they are returned within one transaction block.

In the case of Cream, the hacker made a flash loan of 500 ETH and deposited the funds as collateral before borrowing 19 million AMP, according to PeckShield’s initial analysis. Then they used the reentrancy vulnerability in the $AMP contract to additionally borrow 355 ETH inside the $AMP transaction before self-liquidating. 

The hacker executed this process over 17 transactions, resulting in the total lost funds, now worth over $18 million. While it’s unclear who the attacker is, PeckShield is monitoring the address.

“The funds are still parked in 0xCE1F….6EDE. We are actively monitoring this address for any movement,” they said in a tweet.

No other markets were affected in the attack, according to Cream. 

Though this is the first flash loan attack to hit CreamFinance, the protocol did experience a domain name hijack earlier this year. Users were presented with a fake web portal aimed at tricking users into inputting information related to their private keys.

Flash loans remain a controversial tool in the DeFi ecosystem. Some protocol founders continue to point to the possible benefits and equalizing aspects despite the many hacks that have levied the tool. 

theblockcrypto

Featured

NFT

Worldwide music and entertainment giant Warner Music Group (WMG) has joined forces with OpenSea to introduce dedicated landing pages for their artists. The WMG roster will...

Finance

Though the recent months haven’t been very good for the crypto industry, this could not deter some crypto investors from being bullish about this...

Altcoin

The down-trending market that took its resistance from $1.35134 on the 10th of September did not go too far before it begins to face...

Crypto News

Robinhood, a leading investment app, has rolled out its newest product — a crypto wallet that charges zero transaction fees to its users. For...