The DeFi protocol Cream Finance (CREAM) has suffered a hack, losing a total of over 27 million USD in the process.
The AMP token contract implements ERC77-based ERC1820, which has the _callPreTransferHooks for reentrancy. Thank you @peckshield for assisting with this investigation.
— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021
Only AMP contracts were affected
Cream Finance is a multi-chain lending platform operating on Ethereum, Binance Smart Chain, Polygon, and Fantom. According to their initial announcement on August 30, the hacker managed to steal 418 million AMP and 1,308 ETH from the affected smart contract, with a combined value of over 27 million USD.
No other contracts were affected and the AMP smart contract has been suspended. On their Twitter account, AMP stated that their own token contract is working as intended and that they will be working together with Cream to investigate the issue. Cream Finance has announced to release a post-mortem report as soon as possible.
PeckShield is leading the Investigations
The blockchain security firm PeckShield has picked up the investigations. The firm has published the attacker’s Ethereum address, which at the time of writing shows a total balance of over 19 million USD.
According to their first reports, this hack was another example of a flash loan exploit. PeckShield explains in detail the steps the hacker has repeatedly taken 17 times to drain the funds:
The hacker makes a flash loan of 500 ETH and deposits the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH […]. Then the hacker self-liquidates the borrow.