Cream Finance platform pilfered for over $34 million in cryptocurrency

The project has promised to cover losses suffered by its users.

Cream Finance has lost over $34 million in cryptocurrency after a cyberattacker exploited a vulnerability in the project's market system. 

The decentralized finance (DeFi) organization is the developer of a lending protocol for individuals, with yields on offer for some cryptocurrency stakes. Assets on the platform include Ethereum (ETH), the AMP token, CREAM token, USDT, and COMP.

Cream said an attacker managed to exploit a vulnerability on August 31, leading to the theft of 462,079,976 in AMP ($24.2m) tokens and 2,804.96 ETH tokens ($9.9m), according to an update posted on September 1.

At current prices, this amounts to over $34 million. 

In an analysis of the attack, with the assistance of PeckShield, Cream said an error in how the platform integrated AMP, leading to a reentrancy bug, was the source of the exploit

"While unfortunate and disappointing, we take ownership of the error," the developers say. 

Cream is now working with law enforcement to try and trace the attacker -- or, attackers, as the platform says a "copycat" was also in play at the time of the main attack. The second individual has a transaction history with Binance.

The organization has paused AMP supply and borrow functions until a patch can be deployed. The stolen ETH and AMP will be replaced, with 20% of protocol fees now earmarked to repay customers. 

Cream says that if the attacker is willing to return the stolen cryptocurrency, they can keep 10%, without any consequences as a form of bug bounty payment. However, if others are able to provide a lead on the identity of the cyberattacker leading to their arrest and/or prosecution, 50% of the value of the stolen funds is on offer. as a reward  

If neither offer is successful, "we will forward all relevant information to law enforcement authorities and prosecute to the fullest extent of the law," the company says.

This is not the first time Cream has fallen foul of a cyberattack. In February, the platform lost $37.5 million due to a flash loan exploit made via IronBank. 

Earlier this month, DeFi platform Poly Network said an attacker exploited a vulnerability in the platform to siphon away roughly $610 million in cryptocurrency, including BSC and ETH. The thief has since returned the funds and is signed off as "Mr. White Hat" in Poly blog posts. 

The company has returned assets to its rightful owners and is currently in the process of restoring cross-chain services. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0