CREAM Finance Attack Leads to $23 Million Loss in AMP and ETH

New token standards introduce complexity that DeFi applications are still learning how to grapple with.

Prime example: Money market CREAM Finance was hit with a reentrancy attack on Aug. 30 that allowed attackers to drain $22.8 million in Flexa’s AMP token and $4.2 million worth of ETH (based on market prices in mid-morning trading Monday).

Blockchain security company Peckshield ascribed the attack to the way the AMP token functions. The company tweeted, “The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC-777-like token and exploited to re-borrow assets during its transfer before updating the first borrow.”

With $82.4B in assets currently locked up on decentralized finance (DeFi) smart contracts, the industry presents a tantalizing honeypot for cybercriminals. There have been a slew of similar attacks this year, including a previous attack on CREAM in February.

Flexa is a crypto-enabled payments network that runs on Ethereum. It uses its AMP token to collateralize payments on its network until they are finalized. Its founder, Tyler Spalding, told The Defiant via Telegram, “We think AMP is functioning as expected/intended. Seems to be a flash loan vulnerability on CREAM.” 

Known Issues?

Most cybercriminals aren’t creatively coming up with brand new exploits. Many times, they’re just trying known attacks on different networks to see if any work. Case in point, Spalding said, based on his understanding, the issue that led to the attack on CREAM was similar to one that ConsenSys Diligence had identified on Uniswap in 2019. His team has reached out to CREAM to coordinate on what to do next.

Emilio Frangella from the technical team at another money market protocol Aave, told The Defiant that ERC-777s require special handling. 

“If the protocol hasn’t proper reentrancy protections or is not implemented in a way that makes reentrancy harmless, this can be used to mess up the protocol’s internal accounting. This can cause, for example, having a user with a much higher collateral than what is actually deposited,” Frangella wrote via Telegram.

CREAM Finance was not immediately reachable by The Defiant.