The crypto credit platform Cream.Finance has been robbed of crypto money with the current value of around 30 million euros by exploiting a security gap. Overall, the unknown attackers were able to insert a total of around 462 million AMP tokens (currently around 21.48 million euros) and 2804.96 ethers (currently 8.84 million euros) last Tuesday.
The exploited loophole enabled a so-called reentrancy attack, runs Cream.Finance in a blog post. With such an attack, for example, functions can be executed again and again without the account balance being updated in the function call. The best-known example of such attacks is the spectacular demise of the multi-million dollar DAO project. At Cream.Finance, the attackers could have tricked a lending function and received more money than expected, it said. In total there were 17 fraudulent transactions; there was also probably a copycat offender.
Coins should be refunded
Cream.Finance has specialized in lending business with crypto money and is assigned to the so-called defi platforms. Users can use it to lend interest on crypto money or take loans. Defi stands for Decentralized Finance, i.e. the attempt to create new, automated financial services based on smart contracts on decentralized blockchains such as Ethereum.
The problem was apparently in the implementation of the AMP token created according to the ERC-777 standard in its own protocol, explained Cream.Finance. You have that with help the security firm Peckshield found out. Until there is a patch for the loophole, the credit functions around the AMP tokens are initially blocked. All those affected should be reimbursed for the loss in ether and AMP, said Cream.Finance. This is to be financed by reserving 20 percent of the fees collected by the service for repayment.
Raids in Defi-Land
It is the second serious security incident at Cream.Finance in the past six months. In February attackers succeeded Cream’s Ironbank platform to facilitate around $ 38 million worth of crypto money. However, the attack took place via a crypto service from Alpha Finance, which they worked with.
In general, the Defi ecosystem appears to be a popular target. It was only in August that a hacker succeeded in stealing from the Polynetwork platform for coins valued at over 600 million US dollars at the time. However, the hacker turned out to be friendly and gradually returned the amount withdrawn. Polynetwork had offered him a job as a security advisor; whether the hacker accepted that remained open.
Cream is also hoping for a friendly white hat hacker.Finance: If the main attacker is willing to return the money, they will reward 10 percent of the amount as a regular bug bounty, with no threat of any consequences. At the same time, however, the crypto platform also offered a reward for information that led to the arrest of the perpetrator. Here you want to share 50 percent of the amount received back with tipsters.