DeFi Project Cream Finance Involved in $25M Flash Loan Exploit

By Liam J. Kelly

Lending and borrowing platform Cream Finance has been involved in a large, multi-million dollar exploit. The attacker has made off with more than 418 million in Ampleforth’s governance token, AMP, and 1,308 Ethereum.

The total sum amounts to $25,678,948, but the price of AMP has already fallen more than 15% at press time, according to CoinGecko.

The attacker’s address indicates that they currently have $18.8 million.

The Cream Finance team has stopped further losses by “pausing supply and borrow on AMP.”

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

Cream Finance is a decentralized finance (DeFi) platform that lets users earn interest on their idle cryptocurrencies. Unlike Platforms like Aave or Compound, Cream has many more markets for many more esoteric cryptocurrencies. Cream is actually a fork of the Compound code base.

PeckShield, a crypto-security firm, explained that the hacker was able to make a 500 Ethereum flash loan which was used to exploit a “reentrancy bug” found in the Ampleforth smart contract.

3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ

— PeckShield Inc. (@peckshield) August 30, 2021

This story is breaking and will be updated as more information becomes available.