Cream Finance was hacked for over $18 million due to a reentrancy vulnerability, marking the third attack this year
Author: Chain Hunter
Today at noon, the DeFi lending platform Cream Finance suffered a flash loan attack, with hackers profiting 420 million AMP, 1308 ETH, and a small amount of stablecoin assets like USDC, totaling over 18 million USD in asset value. This marks the third attack on the project this year.
According to security analysis firm PeckShield, the vulnerability in this attack lies in the AMP token contract, which has a reentrancy flaw that allows hackers to re-borrow assets during the lending process.
Specifically, in the first attack transaction, the hacker took out a flash loan of 500 ETH and deposited the funds as collateral, borrowing 19 million AMP. The hacker then exploited the reentrancy vulnerability to borrow an additional 355 ETH during the AMP token transfer process. Subsequently, the hacker self-liquidated the loan.
The hacker repeated the above process across 17 different transactions, ultimately obtaining 5980 ETH (approximately 18.8 million USD). Currently, all funds are still held in the hacker's address, with no further actions taken.
It is understood that Cream Finance is a decentralized lending protocol initiated by the Taiwanese community, focusing on mid-to-long tail assets. It joined the YFI ecosystem at the beginning of the year and has since expanded to multiple blockchain networks including Ethereum, BSC, and Polygon. According to DefiLlama, Cream Finance currently has a total locked value of 1.6 billion USD, ranking fifth among decentralized lending protocols.
Previously, the project has faced multiple hacker attacks, with total losses exceeding 56 million USD.
On February 13 of this year, hackers exploited a vulnerability in Alpha Homora V2 to borrow ETH, DAI, USDC, and other assets from Cream Finance's zero-collateral cross-protocol lending feature, Iron Bank, resulting in a loss of approximately 38 million USD for the project. Subsequently, Alpha Finance stated that it would fully compensate for the assets.
On the 28th of the same month, the DeFi aggregation platform Furucombo suffered a severe vulnerability attack, affecting Cream Finance's reserve account. The Cream Finance team immediately revoked all approvals for external contracts but still incurred a loss of 1.1 million USD.