DeFi Lending platform CREAM Finance hit with $25 million flash loan attack

  • The attack happened through reentrancy on the AMP token contract and exploiting the AMP tokens by reborrowing assets.
  • This is the second time in six months where the platform suffered a flash loan attack.

Along with the growing popularity and rising participation, the decentralized finance (DeFi) space is becoming more and more vulnerable to flash loan attacks. Popular DeFi lending platform CREAM Finance faced its second flash loan attack in the last six months.

A blockchain security and data analytics firm Peckshield was the first to report about the attack after citing data from Etherscan. Later, CREAM Finance also confirmed the attack through its official Twitter handle. The DeFi lending platform wrote:

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract. We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

As per the initial investigation conducted by Peckshield, the attack happened through reentrancy on the AMP token contract. The unknown hacker, however, has managed to steal ~$19 million in the flash loan exploit. However, the total exploitation in AMP and ETH combined stands at $25 million.

The blockchain security firm further noted that the attacker exploited the AMP tokens by reborrowing assets. It noted:

The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow. The funds are still parked in 0xCE1F….6EDE. We are actively monitoring this address for any movement.

As said, the platform has ceased further exploitation by pausing the supply and borrowing on AMP.

Facing second attack in six months

DeFi lending platform CREAM has been quite popular in the market. However, the second flash loan exploits in just six months show the vulnerability of the platform. CREAM Finance platform experienced its first flash loan attack earlier in February 2021.

Back then, hackers exploited $37.5 million worth of cryptocurrency from the platform. The hackers had exploited Ethereum protocol Alpha Hamora and managed to steal 13,200 wETH, 3.6 million USDC, 5.6 million USDT, and 4.2 million DAI.

Following today’s attack, both CREAM and AMP token prices tanked quickly. On a 24-hour chart, CREAM was down by 5 percent while the AMP token plummeted by as much as 13 percent.

As of press time, CREAM is trading  at $167.07. On the other hand, AMP is down by 7.08 percent and is currently trading at $0.05. Despite the recent attacks, the CREAM Finance platform has managed to introduce new features.

Back in April 2021, CREAM introduced collateral-free protocol-to-protocol flash loans with Iron Bank. These loans were popular as they offered significantly cheaper rates with just 0.03 percent in interest. In comparison, its peers AAVE offers loans at 0.09 percent and UniSwap at 0.3 percent. However, the recent hacks could hinder the growth of the project.

About Author

Bhushan is a FinTech enthusiast and holds a good flair for understanding financial markets. His interest in economics and finance draw his attention towards the new emerging Blockchain Technology and Cryptocurrency markets. He is continuously in a learning process and keeps himself motivated by sharing his acquired knowledge. In his free time, he reads thriller fictions novels and sometimes explores his culinary skills.

Comments are closed.