Cream Finance protocol steals $ 25.7 million in ETH and AMP – 2nd attack in just 6 months

Cream Finance hit by a 2nd attack in 6 months

Decidedly, the last few weeks have been fruitful for attackers of decentralized finance (DeFi) protocols. The Cream Finance loan and borrowing protocol has just suffered a major multi-million dollar attack.

According to the Cream Finance team, the attacker who exploited the flaw seized nearly 418 million AMP tokens and 1,308 Ethers (ETH). At the time of the attack, the total amount recovered by the hacker was nearly $ 25.7 million. The Ethereum address identified as belonging to the hacker currently has $ 18.8 million.

To prevent losses from continuing, the Cream Finance team has suspended all functionality specific to the AMP token. It also specifies that the other markets of the platform are not affected.

CREAM v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

– Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

According to experts from PeckShield, a company specializing in crypto-security, the attacker managed to make a flash loan of 500 ETH, which was used to exploit a bug in Ampleforth’s smart contract and steal AMP tokens. As a reminder, “flash loans” are sub-collateralized loans that are borrowed and repaid within the same transaction.

Specifically, the attack deposited the ETH as collateral in the protocol, to borrow $ 19 million from AMP and use a reentrance bug to re-borrow 355 ETH with a smart contract function. By repeating the operation 17 times, the attacker managed to accumulate a jackpot of 5,980 ethers.

1/4 @CreamFinance was exploited in (one hack tx:, leading to the gain of ~ $ 18.8M for the hacker.

– PeckShield Inc. (@peckshield) August 30, 2021

Since the revelations of the attack, the price of AMP has fallen by nearly 15%, from $ 0.058 to nearly $ 0.050. As for the price of the CREAM token, it has fallen by 6%, from $ 180 to $ 167.

This is not the first time that Cream Finance has been hit by such a major attack. Last February, the protocol also suffered a flash-loan attack and had the equivalent of $ 37.5 million in cryptocurrency stolen.

Attacks against DeFi protocols are as frequent as ever. Whether on Ethereum, on the Binance Smart Chain or other blockchains that are starting to develop a large ecosystem of applications, the risk is still present, and this despite the many security audits carried out by specialized companies.

👉 On the same theme – Over $ 600 million stolen from the Poly Network protocol – The biggest crypto-hack of all time

About the author: Clément Wardzala


Editor-in-chief of Cryptoast, I discovered Bitcoin and blockchain technology in 2017. Since then, I have endeavored to share qualitative content so that the sector is democratized among everyone.
All articles by Clément Wardzala.

Back to top button