Twice in 6 Months: Cream Finance Exploited for $25 Million in ETH and AMP

Six months after getting hacked, Cream Finance – a permissionless, open-source, blockchain agnostic protocol –  suffered another breach. The team reported losses of up to $25 million in ETH and AMP.

• PeckShield Inc., a blockchain security company, highlighted the hack a few hours ago, providing the transaction in what appeared to be a flash loan attack against Cream Finance.
• Shortly after, the team behind the DeFi protocol confirmed the news on Twitter. They said the C.R.E.A.M. v1 market on Ethereum was exploited through reentrancy on the AMP token contract.
• The total losses, according to Cream Finance, are as follows – 418,311,571 AMP coins and 1,308.09 ETH tokens.
• AMP’s price has crashed 15% in hours to $0.05 as of writing these lines, while ETH stands just under $3,200. The stolen amount is just over $25 million in USD terms.
• Cream Finance further updated that they have stopped the attack by pausing the supply and borrow services on AMP. They also reassured users that the other markets remained unaffected.

The AMP token contract implements ERC77-based ERC1820, which has the _callPreTransferHooks for reentrancy. Thank you @peckshield for assisting with this investigation.

— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

• It’s worth noting that this is the second time this year that Cream Finance has become a victim of a hack. As reported in February, the previous attack resulted in a bit less than $24 million in ETH stolen.
• Cream’s native token plummeted by 30% last time in hours six months ago, but this time it has dropped by 6% as of now.