DeFi Platform Cream Finance Exploited For $19 Million

One of the biggest DeFi lending protocols to date, Cream Finance, announced that the platform suffered from a security breach, resulting in a $19 million worth of cryptos loss.

According to the team at Cream Finance, the attacker managed to exploit a reentrancy bug in the AMP token in a set of 17 transactions, gaining $18.8 million.

The attacker managed to exploit a bug caused by the introduction of the AMP token into the protocol. According to an audit from Peckshield, a blockchain security and data analytics company, the attacker took 418,311,571 amp and 1,308.09 ethereum.

“The hacker makes a flash loan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer. Then the hacker self-liquidates the borrow.” Peckshield added that “The funds are still parked in the attacker’s wallet. We are actively monitoring this address for any movement.”

This is not the first time Cream had security issues, as in February the protocol got hacked for $37.5 million, exploiting a rounding miscalculation in the code and a whitelisting function of an Alpha Finance smart contract.

Meanwhile, cross-chain asset management platform and DEX aggregator DeFiYield announced that its team created a database of 2,516 „REKT” projects, spanning from 2016 to the present day.

According to the database of rug pulls, vulnerabilities, hacks, dubious projects, and exit scams, hackers and malicious entities managed to steal as much as $1.7 billion worth of cryptocurrencies.

“What the team has created is a valuable store of all key information concerning rug pulls, which will help to prevent other malicious actors from attempting the same scams in the future,” the DeFi aggregator noted.

DeFiYield also plans to integrate an access gate for the database via popular crypto wallets such as MetaMask.

The largest listed exploit to date is the Poly Network hack, which resulted in more than $600 million worth of crypto loss. However, Poly Network got lucky and the hacker returned the stolen funds, while others weren’t that lucky.

Despite the hacks, the total value locked (TVL) of DeFi projects has been steadily increasing in July and August, reaching $125 billion as of press time. The biggest DeFi projects to date are Aave, InstaDApp, and Curve Finance, each having a TVL value of over $11 billion, with Aave locking in $15.7 billion in TVL, while InstaDApp and Curve have TVL values of $11.5 billion and $11.4 billion, respectively.