[TheRecord] Hackers steal $29 million from crypto-platform Cream Finance

Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.

The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack.

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

Cream Finance said the hacker used a “reentrancy attack” in its “flash loan” feature to steal 418,311,571 in AMP tokens (estimated at around $25.1 million at the time of the hack) and 1,308.09 in ETH coins (estimated at around $4.15 million).

The term “flash loan” refers to a contract (script) that runs on the Etherium blockchain that allows Cream Finance users to take quick loans from the company’s funds and then return them at a later date.

Reentrancy attacks take place when a bug in these contracts allows an attacker to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined or the funds need to be returned.

PeckShield and Tal Be’ery, the cofounder of cryptocurrency wallet app ZenGo, confirmed that the Cream Finance hacker exploited a bug in the ERC777 token contract interface that’s used by Cream Finance to interact with the underlying Etherium blockchain.

Be’ery told The Record today that ERC777 has enabled several reentrancy attacks on DeFi online services, which keep relying on the feature despite its history of bad implementations, bugs, and hacks.

The ZenGo cofounder also told The Record that DeFi services need to develop or implement a firewall-like system for their platforms in order to filter malicious requests to their underlying contracts, which are the backbone of their services and the targets of most of these hacks.

1/ #Defi needs an Application Firewall 🔥🧱
The attack involved 17 Txs.
If there was a solution to automatically identify such exploitation and close some safety valve to halt system, then the damage would have been 1/17 < 6% or only ~1M instead of ~18M. https://t.co/qEbTgdx3Jc

— Tal Be’ery (@TalBeerySec) August 30, 2021

DeFi related hacks have accounted for 76% of all major hacks in 2021, and users have lost more than $474 million to attacks on DeFi platforms this year, according to CipherTrace. Most of the attacks on DeFi protocols employed flash loans, the company said in a report released earlier this month.

Similarly, DeFi hacks also made up 21% of all the 2020 cryptocurrency hacks and stolen funds after being almost inexistent a year before, in 2019, the company said in a report last year.

This trend of hackers targeting DeFi platforms can be explained by the fact that the cryptocurrency ecosystem is highly unregulated, security is almost an afterthought, and many platforms fail at implementing their underlying technical base, many running buggy contracts (scripts) that can be easily abused by anyone with knowledge of cryptography and C and C++ coding.

The post Hackers steal $29 million from crypto-platform Cream Finance appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2019-12-09

2020 is when cybersecurity gets even weirder, so get ready www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/ AI-powered deepfakes, ransomware, IoT, and 5G all mean that protecting your data is about to get a lot harder. Tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m. That might happen in […]

Read More

[SecurityWeek] SAP Patches Log4Shell Vulnerability in 20 Applications

All posts, Security Week

German software maker SAP is scrambling to patch the Log4Shell vulnerability in its applications and has rolled out fixes for tens of other severe flaws in its products. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[TheRecord] Vevo announces investigation after YouTube accounts for Rihanna, Justin Beiber, Taylor Swift, Kanye and more hacked

Multinational video hosting service Vevo said it will be investigating a recent incident where someone took over the YouTube pages for several high-profile artists and either uploaded music videos or changed the names of popular videos. “Some videos were directly uploaded to a small number of Vevo artist channels earlier today by an unauthorized source. […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.