Cream Finance DeFi Loses $19 million in Flash Loan Hack, its Second Breach in 6 Months

September 01, 2021, 10:15 AM AEST - 3 weeks ago

Decentralised finance (DeFi) platform Cream Finance has fallen victim to an exploit, the second time the protocol has been targeted. This latest flash loan attack on August 30 stole an estimated US$19 million from the protocol.

While Cream Finance runs on Ethereum, Binance Smart Chain and Fantom, luckily the only affected market was the v1 market on the Ethereum blockchain:

How Did It Happen?

According to PeckShield, a blockchain security company, the hacker made “a flash loan of 500 ETH and deposited the funds as collateral. [Next] the hacker borrowed 19M $AMP and made use of the reentrancy bug to re-borrow 355 ETH inside the $AMP token transfer. Then the hacker self-liquidated the borrow.”

The flash loan attack process. Source: PeckShield

The process was repeated 17 times, allowing the hacker to get away with around US$18.8 million.

“The funds are still parked in 0xCE1F … 6EDE. We are actively monitoring this address for any movement,” PeckShield noted, providing the hacker’s address via Etherscan.

The price of AMP token plunged more than 14 percent in the first few hours following the exploit but has been recovering since. This is the second time in six months that Cream Finance has fallen victim to an exploit.

The Importance of Reviewing DeFi Contracts

Various security and crypto experts have identified some of the major concerns surrounding the emerging DeFi market. “DeFi can be hacked for two main reasons – vulnerability in the DeFi smart contract code, or hacking the private key of the smart contract owner who has permissions to control the protocol,” said Lior Lamesh, CEO of GK8.

Lamesh added that “in order to prevent such attacks, financial institutions looking to offer DeFi services need to do two main steps: First, review the DeFi smart contract code and validate that it has no vulnerabilities; second, protect the smart contract owner’s private key at the highest level of security.”

As more institutional investors flock to DeFi and the benefits brought by the technology, it’s becoming increasingly important to review code and to ensure contracts execute as intended.

Disclaimer: The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.