The decentralized finance protocol (DeFi) Cream Finance suffered a hack this Monday, August 30. Cybercriminals exploited a vulnerability in smart contracts for flash loan operations to steal $ 18.8 million in ether (ETH) and the AMP token (AMP).
Cream Finance is a DeFi platform that offers cryptocurrency loans. According to a post on its official Twitter account, the hackers took advantage of a flaw in the reentry code of AMP’s smart contracts. They clarify, however, that they have already managed to stop the attack and that “no other market was affected.”
The criminals took 1,308.09 ETH (at the end of this note they are equivalent to USD 4.3 million according to the CriptoNoticias price index ) and 418,311,571 AMP (more than USD 22.5 million, although a part was included in other transactions that hackers made and the amount was reduced). At the moment, AMP transactions are suspended on the platform and it is not known when they will be resumed.
Cream Finance hack details
According to a preliminary analysis published by blockchain analytics company PeckShield on Twitter , the bug in the contract allowed hackers to repeat loans without previous operations having been updated. In other words, they could take out multiple loans using the same collateral, so that later they only paid back a part of the proceeds.
In this way, the criminals were able to make 17 transactions to keep the loot. They first borrowed 500 ETH and used it to borrow 19 million AMPs. Subsequently, thanks to the re-entry bug in the contract, they asked again for another 355 ETH before the first trade was settled. Once the process was completed, they repeated the operation several times until reaching the sum of USD 18.8 million.
With regard to the funds extracted, these are still hosted on an Ethereum address , and both PeckShield and Cream Finance “are on the lookout” for any movement that may arise to track down those responsible for the event.
The various DeFi hacks in 2021
The one that Cream Finance suffered is one more in the long list of hacks to decentralized finance protocols so far this year. In fact, as CriptoNoticias reported in March, this same platform suffered a security breach that allowed hackers to steal its domain name systems (DNS) to request private information from customers.
In addition, in February Cream Finance had suffered a theft of USD 37.5 million. With regard to DeFi in general, this year USD 500 million was already stolen between attacks and fraud of various kinds, as this media reported in August.