Lending and borrowing platform Cream Finance has been involved in a large, multi-million dollar exploit. The attacker has made off with more than 418 million in Ampleforth’s algorithmic , AMP, and 1,308 .
The total sum amounts to $25,678,948, but the price of AMP has already fallen more than 15% at press time, according to CoinGecko.
The attacker’s address indicates that they currently have $18.8 million.
The Cream Finance team has stopped further losses by “pausing supply and borrow on AMP.”
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
— Cream Finance (@CreamdotFinance) August 30, 2021
Cream Finance is a decentralized finance () platform that lets users earn interest on their idle cryptocurrencies. Unlike Platforms like Aave or Compound, Cream has many more markets for many more esoteric cryptocurrencies. Cream is actually a fork of the Compound code base.
PeckShield, a crypto-security firm, explained that the hacker was able to make a 500 Ethereum flash loan which was used to exploit a “reentrancy bug” found in the Ampleforth smart contract.
3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ
— PeckShield Inc. (@peckshield) August 30, 2021
This story is breaking and will be updated as more information becomes available.