Cream Finance, a decentralized finance (DeFI) platform, recently reported that its cryptocurrency wallet has been hacked. Hackers claimed to have stolen over $29 million in cryptocurrency assets!
In a tweet earlier today, the company confirmed the hack, stating the extent of damage and the stolen amount. The tweet came an hour after PeckShield, a blockchain security firm, noticed signs of an ongoing crypto-heist.
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021
According to the company’s statement, the hacker adopted a “reentrancy attack” in its “flash loan” feature to rob 418,311,571 in AMP tokens worth approximately around $25.1 million at the time of this incident. They also claimed to have stolen 1,308.09 in ETH coins – worth approximately around 4.15 million.
“Flash loan” actually denotes a contract (script) running on the Ethereum blockchain that lets users borrow a quick loan from the Cream Finance’s assets and then pay them back later.
Reentrancy attacks refer to a bug in these contracts, enabling hackers to repeatedly swipe out funds prior to the original transaction’s approval or declination or when the funds need to be paid back.
The exploitation of this bug has been confirmed by Tal Be’ery and PeckShield, the founder of cryptocurrency wallet app ZenGo. The hacker seemed to have exploited a bug in the ER777 token contract interface – a platform used by the company to engage with the principal Ethereum blockchain.
1/4 @CreamFinance was exploited in (one hack tx: https://t.co/JPW7e368qd), leading to the gain of ~$18.8M for the hacker.
— PeckShield Inc. (@peckshield) August 30, 2021
“ERC777 has facilitated several reentrancy attacks on DeFi online services previously,” said Be’ery. But despite the bad history, these services keep using this feature.
The ZenGo founder advised these services to design or incorporate a protective system to prevent their platform from any sort of intrusion in their concealed contracts – which is basically the integral part of their business and the ultimate target of hackers.
1/ #Defi needs an Application Firewall 🔥🧱 The attack involved 17 Txs. If there was a solution to automatically identify such exploitation and close some safety valve to halt system, then the damage would have been 1/17 < 6% or only ~1M instead of ~18M. https://t.co/qEbTgdx3Jc
— Tal Be’ery (@TalBeerySec) August 30, 2021
According to the report released by CipherTrace, DeFi related hacks constituted about 76% of all major hacks this year, recording a loss of over $474 million in total attacks on the DeFi platform in 2021. The majority of these attacks occurred on flash loans – a feature employed by DeFi services.
In a similar fashion, DeFI hacks accounted for about 21% of all the cryptocurrency hacks in 2020. These hacks were no way to be found in 2019!
These rising attacks on DeFi platforms may be because of the unregulated cryptocurrency ecosystem, where security is almost an afterthought, and the failure of many platforms in implementing robust and fine firewall-like systems to protect their concealed technical base. Some are even found to be using buggy contracts, which can easily be exploited by anyone familiar with cryptography and C and C++ coding.