DeFi Protocol Cream Finance Hacked for Second Time This Year

Cream Finance, a decentralized finance (DeFi) lending protocol, suffered its second flash loan attack this year, with the perpetrators draining more than $25 million.

• The attack was first reported by PeckShield in a tweet early on Monday. The blockchain security firm pointed to Ethereum records showing at least $6 million were drained at 5:44 UTC.
• Cream Finance later confirmed the hack in a tweet, adding that 418,311,571 AMP tokens and 1,308.09 ether had been stolen, bringing the total value of the hack to just over $25 million. PeckShield updated its estimate, saying the hacker siphoned off about $18.8 million.
• The root cause of the incident was lending of AMP tokens, Cream Finance Product Manager Eason Wu said on Discord. Other assets on Cream are secure, he said.
• AMP token contracts allowed for a reentrancy attack, the same type of exploit used in the infamous DAO hack.
• Flash loan attacks take advantage of one of DeFi’s most controversial features: loans that do not require collateral.
• Cream Finance lost $37 million in the attack earlier this year.

UPDATE (AUG. 30, 9:13 UTC): Updates value, adds details from Cream Finance tweet.

UPDATE (AUG. 30, 10:22 UTC) Adds updated estimate from PeckShield.