{"id":48504,"date":"2021-08-30T11:06:46","date_gmt":"2021-08-30T08:06:46","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=48504"},"modified":"2025-09-02T02:33:09","modified_gmt":"2025-09-01T23:33:09","slug":"hackers-drain-more-than-18m-from-cream-finance-defi-protocol","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-drain-more-than-18m-from-cream-finance-defi-protocol\/","title":{"rendered":"Hackers drain more than $18m from Cream Finance DeFi protocol"},"content":{"rendered":"<p>The decentralised Cream Finance protocol was attacked via a <a href=\"https:\/\/forklog.com\/en\/news\/what-are-flash-loans\">flash loan<\/a> and lost more than <a href=\"https:\/\/etherscan.io\/address\/0xce1f4b4f17224ec6df16eeb1e3e5321c54ff6ede\">$18 \u043c\u043b\u043d<\/a>.<\/p>\n<p><script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">30 August 2021 | 14:33<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>Cream Finance representatives confirmed the attack. They said the attackers used a reentrancy exploit in the AMP token contract and withdrew 418,311,571 AMP and 1,308 ETH.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.<\/p>\n<p>We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.<\/p>\n<p>\u2014 Cream Finance \ud83c\udf66 (@CreamdotFinance) <a href=\"https:\/\/twitter.com\/CreamdotFinance\/status\/1432249771750686721?ref_src=twsrc%5Etfw\">August 30, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abWe have paused lending and borrowing on AMP. No other markets were affected\u00bb, the developers said.<\/p>\n<\/blockquote>\n<\/div>\n<p>According to journalist Colin Wu, <a href=\"https:\/\/twitter.com\/WuBlockchain\/status\/1432240080047857666\" target=\"_blank\" rel=\"noreferrer noopener\">\u0445\u0430\u043a\u0435\u0440\u043e\u0432 \u0431\u044b\u043b\u043e \u0434\u0432\u043e\u0435<\/a>, in total they conducted <a href=\"https:\/\/etherscan.io\/tx\/0xa9a1b8ea288eb9ad315088f17f7c7386b9989c95b4d13c81b69d5ddad7ffe61e\">17 \u0442\u0440\u0430\u043d\u0437\u0430\u043a\u0446\u0438\u0439<\/a>.<\/p>\n<p>PeckShield Inc., a blockchain security firm, said they had identified the cause of the breach and offered to assist the Cream Finance developers.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">3\/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M <a href=\"https:\/\/twitter.com\/search?q=%24AMP&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$AMP<\/a> and makes use of the reentrancy bug to re-borrow 355 ETH inside <a href=\"https:\/\/twitter.com\/search?q=%24AMP&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$AMP<\/a> token transfer(). Then the hacker self-liquidates the borrow. <a href=\"https:\/\/t.co\/ryVX2RoxhJ\">pic.twitter.com\/ryVX2RoxhJ<\/a><\/p>\n<p>\u2014 PeckShield Inc. (@peckshield) <a href=\"https:\/\/twitter.com\/peckshield\/status\/1432250680799027204?ref_src=twsrc%5Etfw\">August 30, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abThe hacker received a flash loan of 500 ETH and used them as collateral. He then borrowed $19M in AMP and used the reentrancy bug to borrow 355 ETH inside the AMP token transfer. The hacker subsequently liquidated the loan. He repeated these operations in 17 different transactions\u00bb, the researchers explained.<\/p>\n<\/blockquote>\n<p>All stolen assets are held in the hacker&#8217;s wallet. PeckShield Inc. is monitoring this address for any movements.<\/p>\n<p>Earlier in February, Cream Finance faced a similar attack. An unknown attacker exploited a vulnerability in the Iron Bank protocol (the second version of Cream Finance) and <a href=\"https:\/\/forklog.com\/en\/news\/hacker-drains-37-5-million-from-cream-finance-defi-protocol\">withdrew tokens worth $37.5 million<\/a>.<\/p>\n<p>Follow ForkLog\u2019s news on <a href=\"https:\/\/twitter.com\/ForkLog\" target=\"_blank\" rel=\"nofollow noopener\">Twitter<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The decentralised Cream Finance protocol was attacked via a flash loan and lost more than $18 million.<\/p>\n","protected":false},"author":1,"featured_media":48505,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[2101,1154,1093,1424],"class_list":["post-48504","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cream-finance","tag-crimes","tag-defi","tag-protocols"],"aioseo_notices":[],"amp_enabled":true,"views":"33","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/48504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=48504"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/48504\/revisions"}],"predecessor-version":[{"id":48506,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/48504\/revisions\/48506"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/48505"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=48504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=48504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=48504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}