Cream Finance’s Decentralized Finance Lending Protocol (DeFi) came under attack on Monday when a hacker exploited a vulnerability in the $ AMP token contract to fend off a flash credit attack, resulting in $ 18.8 million stolen.
This morning, the protocol notified the community that 418,311,571 AMP and 1,308.09 ETH were lost as a result of the attack. AMP lending and borrowing is currently on hold. The team did not respond to a request for comment regarding the results of the ongoing investigation or the timing of the resumption of AMP lending.
Posthumous analysis from blockchain analysis company PeckShield is currently underway, Cream said. PeckShield has tweeted some of its findings so far, although it remains unclear whether an official autopsy will be posted in tandem with Cream.
According to PeckShield, a re-entry bug was discovered in the $ AMP contract, allowing for an instant credit attack. These types of attacks allow hackers to continue borrowing assets with minimal collateral, as they can continue to re-borrow funds as long as they are returned within a single block of transaction.
In Cream’s case, according to PeckShield’s initial analysis, the hacker provided an instant loan of 500 ETH and deposited that funds as collateral before borrowing 19 million AMP. They then used the re-entry vulnerability in the $ AMP contract to borrow an additional 355 ETH inside the $ AMP transaction before self-liquidating.
The hacker performed this process over 17 transactions, bringing the total lost funds to over $ 18 million. While it is unclear who the attacker is, PeckShield is tracking the address.
“Funds are still stored in 0xCE1F… .6EDE. We are actively monitoring this address for any movements, ”the message says. tweet…
No other markets were affected by the attack, Cream said.
While this is the first instant credit attack to hit CreamFinance, the protocol did experience Domain name hijacking earlier this year. Users were presented with a fake web portal designed to trick users into entering information related to their private keys.
Term loans remain controversial a tool in the DeFi ecosystem. Several protocol creators continue to point to the possible benefits and aspects of alignment, despite the many hacker attacks used for this tool.