Decentralized platform Cream Finance came under attack from hackers. They stole upwards of 26 million in both Ethereum (ETH) and AMP tokens.
According to Cream Finance, the platform lost 418,311,571 AMP, which is currently valued at $22.1 million. They also lost 1,308 Ethereum currently valued at $4.42 million as of Tuesday.
By the time they had figured out the hack, the damage had already been done. They had to quickly pause supply and borrow on AMP to stop the exploit.
Security firm PeckShield first spotted the attack and then moved quickly to dissect what happened.
“The hack is made possible due to a reentrancy bug introduced by AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow.
Specifically, in the example [transaction], the hacker makes a flash loan of 500 ETH and deposit the funds as collateral. Then, the hacker borrows 19 million AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside AMP token transfer(). Then the hacker self-liquidates the borrow. The hacker repeats the above process in 17 different transactions and gains in total 5.98K ETHs (with ~$18.8 million).“, they said.
Their native token CREAM is down more than 10% on the day.
Over the past few years, we have seen an increase in hacking on these decentralized platforms. It goes to show that we are still years ahead from full security vulnerability issues if that is ever to become a thing.