Cream Finance exploited in $18.8 million flash loan attack

DeFi • August 30, 2021, 5:59PM EDT
UPDATED: August 30, 2021, 6:18PM EDT
The Block

Decentralized finance (DeFi) lending protocol Cream Finance suffered an exploit Monday when a hacker utilized a weakness in the $AMP token contract to level a flash loan attack — resulting in $18.8 million stolen.

The protocol notified the community this morning that 418,311,571 in AMP and 1,308.09 ETH were lost in the attack. For the time being, AMP supply and borrow have been paused. The team has not responded to a request for comment on the findings of the ongoing investigation or the timing of when AMP lending will resume.

A post-mortem analysis from blockchain analysis firm PeckShield is in the works, according to Cream. PeckShield has tweeted some of its findings thus far, although it remains unclear if a formal post-mortem will be published in tandem with Cream. 

According to PeckShield, the $AMP contract introduced a reentrancy bug allowing for a flash loan attack. These types of attacks enable hackers to continue to borrow assets with minimal collateral since they can continue to re-borrow funds as long as they are returned within one transaction block.

In the case of Cream, the hacker made a flash loan of 500 ETH and deposited the funds as collateral before borrowing 19 million AMP, according to PeckShield's initial analysis. Then they used the reentrancy vulnerability in the $AMP contract to additionally borrow 355 ETH inside the $AMP transaction before self-liquidating. 

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The hacker executed this process over 17 transactions, resulting in the total lost funds, now worth over $18 million. While it's unclear who the attacker is, PeckShield is monitoring the address.

"The funds are still parked in 0xCE1F….6EDE. We are actively monitoring this address for any movement," they said in a tweet.

No other markets were affected in the attack, according to Cream. 

Though this is the first flash loan attack to hit CreamFinance, the protocol did experience a domain name hijack earlier this year. Users were presented with a fake web portal aimed at tricking users into inputting information related to their private keys.

Flash loans remain a controversial tool in the DeFi ecosystem. Some protocol founders continue to point to the possible benefits and equalizing aspects despite the many hacks that have levied the tool. 

About Author

Aislinn Keely is a reporter on The Block's policy team holding down the legal beat. She covers court decisions, bankruptcies, regulatory actions and other key moments in the legal sphere, putting them in context for the wider crypto industry. Before The Block, she lent her voice to the NPR affiliate WFUV and helmed Fordham University's student newspaper. Send tips or thoughts on all things policy and legal to [email protected] or follow her on Twitter for updates @AislinnKeely.

More by Aislinn Keely