The DeFi security project Lossless has identified the Cream Finance hacker, leading the attacker to return most of the stolen funds.
Thanks to them we were able to track down and identify the hacker who we immediately engaged.
— Cream Finance 🍦 (@CreamdotFinance) October 1, 2021
The cat and mouse game with DeFi hackers
In August 2021, the DeFi lending platform Cream Finance was hacked and the attacker took off with over 19 million USD worth of AMP and ETH tokens after a successful flash loan attack. The money was now partially returned.
The driving factor behind solving the case was the DeFi security group Lossless, who claims to have extensive contacts within the hacker community. The attacker was ultimately identified by white-hat hacker Pascal Caversaccio. Cream Finance contacted the attacker and demanded a repayment of the stolen funds, to which the attacker complied.
In a tweet on Monday, Lossless also stated that they are working on a hack-mitigation tool, which will allow DeFi developers to freeze transactions for up to 24 hours, until further investigations can be completed.
Both Lossless and the attacker get a bounty
After the attack on August 30, Cream Finance announced to refund all losses from their fee revenue. Although the DeFi platform has received most of the stolen funds back, a large part of the refund will still be necessary.
First of all, the hack itself has caused more damage than the attacker was able to steal, due to transaction fees. In total, Cream Finance suffered a damage of 27 million USD. Secondly, Lossless will receive a bounty of 50% of the returned funds.
Finally, the attacker himself walks off scot-free with crypto-assets, worth almost 2 million USD. Immediately after the hack, Cream Finance offered the hacker a bug-bounty of 10% of the stolen funds. The DeFi platform will honor this promise, even though the hacker has been identified, which is certainly a small price to pay for saving the hassle of criminal and civil litigation.