C.R.E.A.M. Finance Faces $18,000,000 Flash Loan Attack on Ethereum

C.R.E.A.M. Finance endures latest exploit to hit DeFi only days after elaborating on prospective lending products on Binance Smart Chain

By
Dardania Havolli
on
August 30, 2021
Category:
BSC News

C.R.E.A.M. Finance Suffers Blow

C.R.E.A.M. Finance has become the latest lending protocol to suffer a considerable flash loan attack. It appears the episode concerned the AMP token contract that implements ERC77-based ERC1820. 

Through Etherscan, BSC.News has ascertained that a flash loan attack of over $18 million has been carried out on C.R.E.A.M. Finance on August 30th at 05:44:47 AM UTC.

“C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract,” the protocol confirmed hours later via tweet. “We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.”

The attack comes after C.R.E.A.M. Finance Co-Founder Leo Cheng spoke to BSC News about how innovation requires his team to push the boundaries and explore the edges of capital efficiency, but this line of work requires discipline. Although you want to build what everybody is after, you need to be conscious of safety and security, especially when personal assets are involved, Cheng explained. 

Source

What is a ‘Flash Loan Attack’?

What C.R.E.A.M. suffered can be classified as a flash loan attack. Flash loan attacks are a type of Decentralized Finance (DeFi) attack where a cyberthief takes out a flash loan (a form of uncollateralized lending) from a lending protocol and uses it in conjunction with various types of gimmickry to manipulate the market in their favor.

C.R.E.A.M. confirmed that Peck Shield assisted in the recovery effort and that a post-mortem is on the way.  Peck Shield confirmed some of what they know in some follow-up tweets around 08:00 UTC August 30th. 

“The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow,” the tweet states.

The hacker flash loaned 500 ETH to borrow up to 19Million AMP tokens. Those 19 million tokens can then be used to exploit the reentrancy bug to borrow a further 355 ETH before the completion of the $AMP token transfer. The hacker is able to liquidate the 355 ETH for a sweet profit.

Source

Rinse and repeat seventeen times for a total of 5.98K ETH. Peck Shield knows the account that has the funds and is monitoring the situation.

We’ll be sure to update the community with a take once we have the full report. 

What is C.R.E.A.M. Finance?

Cream Finance describes itself as a decentralized lending protocol for individuals, institutions, and protocols to financial services. Part of the Yearn Finance ecosystem, Cream Finance is a permissionless, open-source, and blockchain agnostic protocol serving users on Ethereum, Binance Smart Chain, Polygon, and Fantom. 

Users who passively hold Ether or wBTC can deposit their assets on Cream to earn yield, similar to a traditional savings account. 

Where to find C.R.E.A.M. Finance:

Website | Twitter | Medium |

Tags:
Dardania Havolli

Dardania is an experienced researcher, editor and writer who is currently completing his PhD in Creative Writing. He is passionate about blockchain technology and the impact it will go on to have on our lives.

Text Link

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.