The decentralised Cream Finance protocol was attacked via a flash loan and lost more than $18 млн.
Cream Finance representatives confirmed the attack. They said the attackers used a reentrancy exploit in the AMP token contract and withdrew 418,311,571 AMP and 1,308 ETH.
«We have paused lending and borrowing on AMP. No other markets were affected», the developers said.
According to journalist Colin Wu, хакеров было двое, in total they conducted 17 транзакций.
PeckShield Inc., a blockchain security firm, said they had identified the cause of the breach and offered to assist the Cream Finance developers.
«The hacker received a flash loan of 500 ETH and used them as collateral. He then borrowed $19M in AMP and used the reentrancy bug to borrow 355 ETH inside the AMP token transfer. The hacker subsequently liquidated the loan. He repeated these operations in 17 different transactions», the researchers explained.
All stolen assets are held in the hacker’s wallet. PeckShield Inc. is monitoring this address for any movements.
Earlier in February, Cream Finance faced a similar attack. An unknown attacker exploited a vulnerability in the Iron Bank protocol (the second version of Cream Finance) and withdrew tokens worth $37.5 million.
Follow ForkLog’s news on Twitter.