Next defibrillator hack: Cream Finance loses 30 million euros

Due to an error in the implementation of the AMP token in the Defi platform Cream Finance, hackers were able to steal tokens worth 30 million euros. It is the second incident this year.

Cream Finance issues crypto loans via smart contract. At least one attacker was able to bypass the lending function via a bug in one of the contracts and steal crypto coins and tokens worth around 30 million euros. In detail, Cream lost around 462 million AMP tokens (around 21 million euros) and around 2,800 ethers (around nine million euros).

In a detailed blog post about the analysis of the hack, Cream Finance explains that the attack was a so-called reentrancy attack. If this type of attack succeeds, functions can be set in a loop and executed again and again without any account balances being visibly updated.

At Cream Finance, a lending function was outwitted in this way, it is said. Instead of one, there were a total of 17 abusive transactions. There is also said to have been another perpetrator with the same approach, but less success.

How Cream Finance was able to find out with the help of the security company Peckshield, the security gap should be found in the implementation of the AMP token created according to the ERC-777 standard in its own protocol. There is no patch yet. Cream Finance has therefore blocked all credit functions around the AMP token until further notice. The service promises to fully reimburse the damage incurred. Part of the fees collected should be used for this purpose.

Cream Finance is a decentralized financial services provider based on smart contracts that specializes in lending business with cryptocurrencies. Users of the platform can independently lend interest-bearing cryptocurrencies and also borrow them, i.e. give or take out loans. Like the AMP token, Cream Finance runs on the Ethereum platform and is part of the rapidly growing defibrillator market, which, however, has had to struggle with serious attacks lately.

Even at Cream Finance, the incident is not the first this year. Hackers had already relieved Cream’s platform Ironbank in February with assets worth around 38 million US dollars. At the time, the attack did not take place directly on the platform, but via a crypto service from the cooperation partner Alpha Finance.

In August, the Poly Network platform suffered with over 600 million dollars, the worst loss in Defi history. However, Poly Network was lucky: the hacker returned the sum in several tranches. Poly Network had assured him of impunity and even offered him a job as a security advisor.

Cream Finance would like to follow this example. Cream Finance announces that they are prepared to leave ten percent of the looted sum as a “bug bounty”, ie as a reward for finding the security hole with no further consequences. In the event that the customer turns out to be not interested, the platform works in two ways. For example, it has offered a reward of 50 percent of the coins and tokens that actually flow back again for those whose information leads to the apprehension of the perpetrator.