C.R.E.A.M. Finance Suffers Blow
C.R.E.A.M. Finance has become the latest lending protocol to suffer a considerable flash loan attack. It appears the episode concerned the AMP token contract that implements ERC77-based ERC1820.
“C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract,” the protocol confirmed hours later via tweet. “We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.”
The attack comes after C.R.E.A.M. Finance Co-Founder Leo Cheng spoke to BSC News about how innovation requires his team to push the boundaries and explore the edges of capital efficiency, but this line of work requires discipline. Although you want to build what everybody is after, you need to be conscious of safety and security, especially when personal assets are involved, Cheng explained.
What is a ‘Flash Loan Attack’?
What C.R.E.A.M. suffered can be classified as a flash loan attack. Flash loan attacks are a type of Decentralized Finance (DeFi) attack where a cyberthief takes out a flash loan (a form of uncollateralized lending) from a lending protocol and uses it in conjunction with various types of gimmickry to manipulate the market in their favor.
C.R.E.A.M. confirmed that Peck Shield assisted in the recovery effort and that a post-mortem is on the way. Peck Shield confirmed some of what they know in some follow-up tweets around 08:00 UTC August 30th.
“The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow,” the tweet states.
The hacker flash loaned 500 ETH to borrow up to 19Million AMP tokens. Those 19 million tokens can then be used to exploit the reentrancy bug to borrow a further 355 ETH before the completion of the $AMP token transfer. The hacker is able to liquidate the 355 ETH for a sweet profit.
Rinse and repeat seventeen times for a total of 5.98K ETH. Peck Shield knows the account that has the funds and is monitoring the situation.
We’ll be sure to update the community with a take once we have the full report.
What is C.R.E.A.M. Finance?
Cream Finance describes itself as a decentralized lending protocol for individuals, institutions, and protocols to financial services. Part of the Yearn Finance ecosystem, Cream Finance is a permissionless, open-source, and blockchain agnostic protocol serving users on Ethereum, Binance Smart Chain, Polygon, and Fantom.
Users who passively hold Ether or wBTC can deposit their assets on Cream to earn yield, similar to a traditional savings account.