Cream Finance Crypto Exchange Hacked – Lost $29 Million To Attackers

Heads up, crypto users. Another cryptocurrency exchange has suffered a cyber attack losing assets worth millions of dollars. This time, the criminals hacked the Cream Finance crypto exchange by exploiting a vulnerability in the AMP token.

Cream Finance Crypto Exchange Hacked

Reportedly, the crypto exchange Cream Finance was hacked, losing $29 million worth of digital assets to hackers.

Cream Finance is a relatively newer crypto exchange that started in August 2020. The service is live on Ethereum, Binance Smart Chain, and Fantom.

The news about the hacking attack first surfaced online after the blockchain security firm PeckShield Inc. disclosed it in a series of tweets.

As revealed, they found that Cram Finance exchange lost roughly $18 million after a hacker exploited an AMP reentrancy vulnerability.

The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow.

This allowed the attacker to make a huge flash loan by repeated borrowing from the exchange.

Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow.

Soon after, Cream Finance also confirmed the same in their official tweets. Unfortunately, while they stopped the exploit, the attacker still managed to inflict a huge loss.

Specifically, the attacker pilfered $25.1 million worth of AMP and $4.15 million worth of Ethereum.

PeckShield Inc. is monitoring the attacker’s wallet address. More details may likely surface online soon.

This incident happened soon after a weird crypto heist of $610 million targeting Poly Network crypto exchange earlier this month. However, the attacker turned out a white-hat hacker as he returned the stolen money.

Related posts

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million WordPress Websites

Glove Stealer Emerges A New Malware Threat For Browsers