TL;DR Breakdown
- Cream Finance has suffered another security breach that drained about $25 million in AMP and ETH.
- The incident was a result of a “reentrancy bug” on AMP token contract.
For the second time in six months, popular decentralized lending protocol Cream Finance has suffered another attack due to a “reentrancy bug,” according to blockchain security and data analytics company, PeckShield. The protocol’s development team confirmed the incident on Twitter, noting that AMP tokens and Ether (ETH) were lost.
Cream Finance attack
In what PeckShield addressed as a flash loan attack, the CREAM v1 market on the Ethereum blockchain was exploited early today due to a reentrancy bug on AMP token contract. The hacker exploited the bug to “re-borrow assets during its transfer before updating the first borrow.”
Cream Finance confirmed this, saying that the hacker stole 418,311,571 in AMP and 1,308.09 in ETH, which is estimated to be around $25 million. Meanwhile, the Cream team said they have suspended supply and borrow on AMP, to stop and fix the issue. “No other markets were affected,” the team assured.
The incident today marks the second time where Cream Finance suffered a security breach. In February, the protocol was attacked, which resulted in the loss of about 13,000 ETH, equivalent to $24 million at the time of the attack. The price of the Cream token dropped by 30 percent as a result.
AMP token drops by 11%
The Cream Finance attack didn’t constitute any significant drop in the price of the AMP token. The token was trading at $0.05234 – an 11.7 percent drop in a 24-hour chart. The Cream token was also trading at 5.18 percent at $166.64.
Given DeFi is still in its nascent stage, there have been increased cases of flash loan attacks over the past years. However, it’s also worth noting that many protocols are now undergoing an intensive audit and implementing adequate security measures.
From Zero to Web3 Pro: Your 90-Day Career Launch Plan