[TheRecord] Hackers steal $29 million from crypto-platform Cream Finance

Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.

The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack.

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

Cream Finance said the hacker used a “reentrancy attack” in its “flash loan” feature to steal 418,311,571 in AMP tokens (estimated at around $25.1 million at the time of the hack) and 1,308.09 in ETH coins (estimated at around $4.15 million).

The term “flash loan” refers to a contract (script) that runs on the Etherium blockchain that allows Cream Finance users to take quick loans from the company’s funds and then return them at a later date.

Reentrancy attacks take place when a bug in these contracts allows an attacker to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined or the funds need to be returned.

PeckShield and Tal Be’ery, the cofounder of cryptocurrency wallet app ZenGo, confirmed that the Cream Finance hacker exploited a bug in the ERC777 token contract interface that’s used by Cream Finance to interact with the underlying Etherium blockchain.

Be’ery told The Record today that ERC777 has enabled several reentrancy attacks on DeFi online services, which keep relying on the feature despite its history of bad implementations, bugs, and hacks.

The ZenGo cofounder also told The Record that DeFi services need to develop or implement a firewall-like system for their platforms in order to filter malicious requests to their underlying contracts, which are the backbone of their services and the targets of most of these hacks.

1/ #Defi needs an Application Firewall 🔥🧱
The attack involved 17 Txs.
If there was a solution to automatically identify such exploitation and close some safety valve to halt system, then the damage would have been 1/17 < 6% or only ~1M instead of ~18M. https://t.co/qEbTgdx3Jc

— Tal Be’ery (@TalBeerySec) August 30, 2021

DeFi related hacks have accounted for 76% of all major hacks in 2021, and users have lost more than $474 million to attacks on DeFi platforms this year, according to CipherTrace. Most of the attacks on DeFi protocols employed flash loans, the company said in a report released earlier this month.

Similarly, DeFi hacks also made up 21% of all the 2020 cryptocurrency hacks and stolen funds after being almost inexistent a year before, in 2019, the company said in a report last year.

This trend of hackers targeting DeFi platforms can be explained by the fact that the cryptocurrency ecosystem is highly unregulated, security is almost an afterthought, and many platforms fail at implementing their underlying technical base, many running buggy contracts (scripts) that can be easily abused by anyone with knowledge of cryptography and C and C++ coding.

The post Hackers steal $29 million from crypto-platform Cream Finance appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] Facebook Will Limit Your WhatsApp Features For Not Accepting Privacy Policy

All posts

WhatsApp on Friday disclosed that it won’t deactivate accounts of users who don’t accept its new privacy policy rolling out on May 15, adding it will continue to keep reminding them to accept the new terms. “No one will have their accounts deleted or lose functionality of WhatsApp on May 15 because of this update,” the Facebook-owned […]

Read More

[ZDNet] Quest-owned fertility clinic announces data breach after August ransomware attack

All posts, ZDNet

350,000 patients of ReproSource had their medical data leaked and some even had SSNs and credit card numbers exposed as well. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] SteelSeries bug gives Windows 10 admin rights by plugging in a device

The official app for installing SteelSeries devices on Windows 10 can be exploited to obtain administrator rights, a security researcher has found. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.