Cream Finance loses $18.8 million in a flash loan attack

Decentralised finance (DeFi) platforms have lost hundreds of millions of dollars to hackers over the last few months, and the situation continues to worsen.

DeFi lending protocol Cream Finance announced yesterday that it had suffered an exploit, resulting in a loss of nearly $19 million. In an official announcement yesterday, Cream Finance said the hacker exploited a weakness in the $AMP token contract to execute a flash loan attack.

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

According to the developers, the protocol lost 418,311,571 AMP tokens and 1,308.09 ETH coins as a result of the attack. The total coins and tokens lost were worth $18.8 million. Following the attack, the Cream Finance developers have paused the AMP supply and borrow.

Cream Finance further announced that blockchain analysis firm PeckShield is currently conducting a postmortem of the attack. PeckShield has been sharing some of its findings with the cryptocurrency community.

PeckShield said the $AMP contract brought in a re-entrancy bug, providing the perfect environment for a flash loan attack. Flash loan attacks allow hackers to continue borrowing assets with little collateral. This is because they can continue to re-borrow the funds as long as they return them within the same transaction block.

PeckShield said with Cream Finance, the attacker carried out a flash loan of 500 ETH, deposited the funds as collateral and proceeded to withdraw the 19 million AMP tokens. The hacker went on to exploit the re-entrancy flaw in the $AMP contract to borrow an extra 355 ETH within the same AMP transaction before liquidating.

The analysis revealed that the hacker executed the attack over 17 transactions, stealing $18.8 million in the process. At the moment, it is unclear who the hacker is, but PeckShield is monitoring the receiving address for any movement.

Decentralised finance protocols have suffered numerous attacks since the start of the year. The biggest of them happened earlier this month, with Poly Network losing $611 million to a hacker.

However, the hacker had a change of mind and returned the funds to the protocol. The hacker was offered the role of the chief security advisor to the Poly Network project and a bounty of $500,000.