The de-centralized loan platform CREAM Financial, which lost a nonidentified thief at least 18 million dollars in cryptocurrency on Monday.
The name of Biz stands for Crypto Rules All Around Me, which obviously overestimates the control of the lending operation over its funds.
The company said via Twitter that the exploitation had been blocked by stopping the supplier and borrowing contracts for the AMP token, “CREAM v1 on Ethereum was exploited by a loss of 418,311,571 in AMP and 1,308,09 in eTH, by way of re-entrancy of the Amp Tocke Contract.”
These values currently amount to approximately $23 million in AMP and $4.4 million in ETH, but prices have fluctuated. The theft was estimated at $18.8m by PeckShield, a security company that was investigating the incident.
CREAM Finance based in Taiwan does not offer loans that cannot be mistaken for Latvia’s Cream Finance. One way is by means of “Flash Loans.”
Flash Loans, explains the company in its documents, offer smart contract developers a short access to the ‘undercollateralized loans,’ whereas the amount borrowed and the fee must be returned through a blockchain operation (about 15 seconds).
DeFi is based on what optimists call intelligent contracts – code-based financial operations instead of human brokers.The risk of confident clever code is known as a reentrant attack when the contact function calls an external function interfering with the data that affects the calling function operations.
A very costly error
“The hack is made possible because of an ERC777-like reentry bug introduced by Amp, which was used to retrieve assets while it was being transferred before the first loan was updated,” Peck Shield explained on Twitter.
According to PekShield, a 500 ETH Flash Loan was made and the fund was deposited as collateral, then borrowed AMP 19m and used an incoming bug to re-borrow 355 ETH into the transmission token function and automatically liquidated the amount borrowed.
The cryptorobber was able to win 5,980 ETH (around $19m) by repeating this process 17 times.
ERC777 defines an interface between the Ethereum token contract and the ERC20 token. The Amp token has been designed for the purpose of securing digital property payments through the Flexa payment network. An audit of the Amp token in June 2020 indicated that it was suggested that Amp be modified in order that reentry attacks should become safer.
The Amp Project suggested in a Monday Twitter post that it is not responsible for its technology. “Recently the Amp on Cream Finance was wiped out with a Flash loan exploit,” said the group. “We believe that the Amp agreement will work as intended after an initial review. We work closely with [CREAM Finance] to further examine and provide further details at the earliest opportunity.”
Two significant issues related to centralising control and the poor documentation of its technology were identified in the separately audited CREAM [PDF] by Trail of Bits in January 2021.
Back in February, a DeFi product called Alpha Homora, to help people earning better interest on their crypto holdings, lost $37m in a heist that took advantage of CREAM’s Iron Bank lending platform.