Using a reentrancy issue in the AMP token, the Cream Finance hacker was able to profit by $18.8 million over the course of 17 transactions.
In a huge exploit, Cream Finance, a major decentralized finance (DeFi) protocol focusing on lending, was targeted by a hacker who stole approximately $19 million from the platform’s cryptocurrency.
According to a study by blockchain security firm Peckshield, an anonymous hacker was able to obtain access to $18.8 million in the latest flash loan exploit of the Cream Finance protocol by exploiting a reentrancy issue introduced by the Amp (AMP) token.
Cream Finance, which made the announcement on Monday, stated that the protocol has prevented the exploit by suspending supply and borrow contracts on the AMP token. Cream Finance reported that no other markets were affected.
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
— Cream Finance (@CreamdotFinance) August 30, 2021AMP tokens were exploited by the hacker, according to Peckshield, by re-borrowing assets during its transfer and then updating the first to borrow in a total of 17 transactions. According to the security firm, an example transaction might be as follows: “A hacker takes out a flash loan of 500 ETH and deposits the funds as collateral.”
The hacker then borrows 19M $AMP and exploits the reentrancy problem to re-borrow 355 ETH during the $AMP token transfer, a total of 355 ETH. The hacker then self-liquidates the borrowed funds.”
“The funds are still sitting in the address 0xCE1F….6EDE. After disclosing the hacker’s location, Peckshield stated, “We are actively monitoring this address for any movement.”
It is an Ethereum-based currency that is intended to serve as collateral for payments made through the digital payments network Flexa, according to its creators. The AMP token contract implements the ERC1820 registry smart contract, which is based on the ERC77 standard.
The ERC1820 standard, which was introduced in 2019, defines a smart contract that acts as a universal registry, allowing any address to “register which interface it supports and which smart contract is responsible for its implementation.”
Any address can register which interface it supports and which smart contract is responsible for its implementation.
AMP token and Cream Finance’s native token CREAM both experienced significant price drops as a result of the attack, with AMP falling by over 13 percent in the last 24 hours alone.
According to CoinGecko data, at the time of writing, the AMP token is trading at $0.051908, while the CREAM token is selling at $167, down almost 5 percent over the previous 24 hours.
Cream’s Iron Bank protocol-to-protocol lending platform was used to commit a $37 million hack against DeFi product Alpha Homora in February, according to a previous article by Cointelegraph.
The latest flash loan vulnerability comes amid an increase in the number of hacks and exploits across cryptocurrency systems, both centralized and decentralized, in recent months.
On August 28, the Bilaxy cryptocurrency exchange was the victim of a large hot wallet breach, which resulted in the compromise of 295 ERC-20 tokens. A cyberattack that occurred on August 19 resulted in the loss of approximately $100 million for Liquid.
