The hacker stole $24.2 million in AMP and $9.9 million in Ether. The attack adds to a growing list of high profile hacks on Decentralized Finance (DeFi) platforms in 2021.
Hackers Exploited Vulnerability in AMP Integration With the Platform
According to Crypto Rules Everything Around Me (C.R.E.A.M.) Finance, the attacker exploited an error in how the platform integrated AMP, leading to a reentrancy bug. The platform stated that there were two attacks: a main exploit and a smaller copycat. The copycat address has a withdrawal history with Binance, to whom C.R.E.A.M. Finance has since reached out for help. C.R.E.A.M. Finance also stated their intent to “forward all relevant information to law enforcement authorities and prosecute to the fullest extent of the law.” The platform said that it has paused its AMP supply and borrow functions. These services will remain suspended until a patch can be safely deployed. It also announced that it will be replacing the stolen tokens so that there is no liquidity trouble for users. It will commit to allocating 20% of all protocol fees received to repay its customers. This is the first time C.R.E.A.M. has been exploited directly, the company said. C.R.E.A.M. Finance is a DeFi organization and the developer of a lending protocol for individuals. The crypto assets on the platform include Ethereum, AMP Token, CREAM Token, Tether, and COMP.
Platform Announces Bounties for Recovery of Funds
C.R.E.A.M. Finance said it will learn from the incident and use it to improve and strengthen its protocol. The platform also announced that it will give the attacker a 10% bug bounty if they returned the stolen funds. Additionally, C.R.E.A.M. Finance announced that if someone were to identify and provide information that leads to the arrest and prosecution of the attacker, that person would receive 50% of the returned funds. This attack adds to a growing list of hacks on DeFi platforms. Just last month, Poly Network was the target of the largest ever crypto heist. The hacker has since returned all of the stolen funds, amounting to over $600 million in cryptocurrency. Japanese crypto exchange Liquid was also hit by a cyberattack, where the actors stole over $94 million in digital tokens. This is not the first time C.R.E.A.M. Finance has suffered from a cyber attack. In February this year, the organization lost $37.5 million due to a flash loan exploit made via IronBank.