The decentralized finance protocol (DeFi) Cream Finance suffered a hack this Monday, August 30. Cybercriminals exploited a vulnerability in smart contracts for trading operations. flash loans (instant loans) to steal USD 18.8 million in ether (ETH) and the AMP (AMP) token.
Cream Finance is a DeFi platform that offers cryptocurrency loans. According to a posting to your account official Twitter, hackers took advantage of a flaw in the reentry code of AMP’s smart contracts. They clarify, however, that they have already managed to stop the attack and that “no other market was affected.”
The criminals took 1,308.09 ETH (at the end of this note they are equivalent to USD 4.3 million according to the CriptoNoticias price index) and 418,311,571 AMP (more than USD 22.5 million, although a part was included in other transactions that hackers made and the amount was reduced). For the moment, AMP transactions are suspended on the platform and it is not known when they will be resumed.
Cream Finance hack details
According to a preliminary analysis published by the blockchain analytics company PeckShield on Twitter, the bug (bug) in the contract allowed hackers repeat loans without previous operations having been updated. In other words, they could take out several loans using the same collateral, so that later they only repaid a part of what was extracted.
In this way, the criminals were able to make 17 transactions to keep the loot. They first borrowed 500 ETH and used it to borrow 19 million AMPs. Later, thanks to bug Upon re-entry into the contract, they again asked for another 355 ETH before the first trade was settled. Once the process was completed, they repeated the operation several times until reaching the sum of USD 18.8 million.
With regard to the funds drawn, these are still hosted on an Ethereum address, and both PeckShield and Cream Finance “are on the lookout” for any movement that may arise to track down those responsible.
The various DeFi hacks in 2021
The one who suffered Cream Finance is one more in the long list of hacks to decentralized finance protocols so far this year. In fact, as CriptoNoticias reported in March, this same platform suffered a security breach that allowed hackers to steal its domain name systems (DNS) to request private information from customers.
In addition, in February Cream Finance had suffered a theft of USD 37.5 million. With regard to DeFi in general, this year USD 500 million was already stolen between attacks and fraud of various kinds, as this media reported in August.