Share this article on:
Decentralised finance (DeFi) platform Cream Finance lost $29 million worth of cryptocurrency in a crypto hack this week, with the company halting amp trading to stop the theft transactions.
DeFi platform Cream Finance lost $29 million in a cryptocurrency hack this week, the second hack that the platform has suffered in 2021 having lost $37.5 million in February.
The theft took place across two cryptocurrencies, and was achieved by exploiting a bug that arose from adding an amp token into the platform’s protocol.
The cyber criminals made off with 418,311,571 amp and 1,308.09 ethereum coins.
According to media outlet Bitcoin.com, Cream Finance was audited by cyber security firm Trails of Bits before the exploitation took place.
Blockchain security company PeckShield took to Twitter after the attack, analysing how the event unfolded.
“The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow,” the company said.
“Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow.
“The hacker repeats the above process in 17 different txs and gains in total 5.98K ETHs (with ~$18.8M). The funds are still parked in 0xCE1F….6EDE. We are actively monitoring this address for any movement.”
According to Cream Finance, the DeFi platform halted the theft by pausing “supply and borrow on AMP”.
[Related: Number of cryptocurrency breaches rises 41 per cent year on year]