Cream Finance loses $25M in flash loan attack

DeFi lending protocol Cream Finance has reportedly lost $25 million in a flash loan attack, the second in the past six months.
The decentralized finance (DeFi) lending and borrowing platform reported that its CREAM V1 market had been targeted on Monday.
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
According to Cream Finance, the attack was executed via reentrancy on the AMP token contract, a Consensys-backed digital collateral token listed within the dApp. The hacker used a flash loan before exploiting the reentrancy bug.
Vulnerabilities that stem from reentrancy are one of the most common types of security bugs in smart contracts. Meanwhile, blockchain security company PeckShield led the initial analysis revealing that the exploit began when the hacker took out a flash loan of 500 ETH and deposited it as collateral to borrow 19 million AMP tokens. He then re-borrowed 355 ETH by leveraging the reentrancy bug before self-liquidating the loan and repeating the process multiple times to extract funds.
3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ
— PeckShield Inc. (@peckshield) August 30, 2021
41.8 million AMP tokens and 1308.09 ETH, currently worth about $25 million were stolen during the exploit. Following the attack, the supply and borrowing of AMP tokens have been suspended on the platform.
In February, Cream suffered a similar flash loan attack that led to the loss of roughly $37.5 million worth of cryptocurrency.
While the price of AMP appears to have fallen by 15% since the news broke, Ethereum remains relatively unaffected.
The latest flash loan exploit comes amid the increasing spate of exploits on centralized and decentralized cryptocurrency platforms. Poly Network, Bilaxy, and Liquid have all been exploited recently.