[TheRecord] Hackers steal $130 million from Cream Finance; the company’s 3rd hack this year

Hackers have stolen an estimated $130 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.

The incident, detected earlier today by blockchain security firms PeckShield and SlowMist, was confirmed by the Cream Finance team earlier today.

The attackers are believed to have found a vulnerability in the platform’s lending system —called flash loaning— and used it to steal all of Cream’s assets and tokens running on the Ethereum blockchain, according to blockchain security firm BlockSec, which also posted an explanation of the security flaw on Twitter earlier today.

Our initial analysis of the Cream Finance attack:https://t.co/TysI7fjyPU@Mudit__Gupta @bantg @CreamdotFinance pic.twitter.com/wScUvizBtX

— BlockSec (@BlockSecTeam) October 27, 2021

A breakdown of the stolen funds is available below, courtesy of the SlowMist team.

Image: SlowMist

Roughly six hours after the attack, Cream Finance said it fixed the bug exploited in the hack with the help of cryptocurrency platform Yearn.

Even if the attacker’s initial wallet, used to exfiltrate a large chunk of the funds, has been identified, the funds have already been moved to new accounts, and there appears to be a small chance the stolen crypto can be tracked down and returned to the platform.

Third time’s a charm

Today’s hack marks the third time Cream Finance has been hacked this year after the company lost $37 million in February and another $29 million in August.

All attacks were flash loan exploits, a common way through which most DeFi platforms have been hacked over the past two years.

DeFi related hacks have accounted for 76% of all major hacks in 2021, and users have lost more than $474 million to attacks on DeFi platforms this year, CipherTrace said in a report in August.

Similarly, DeFi hacks also made up 21% of all the 2020 cryptocurrency hacks and stolen funds after being almost inexistent a year before, in 2019, the same CipherTrace said in a report last year.

The Cream heist also marks the second-largest cryptocurrency hack this year after DeFi platform Poly Network lost $600 million in August. However, the individual behind the Poly hack eventually returned all the stolen funds two weeks later on the promise the company won’t seek charges.

The post Hackers steal $130 million from Cream Finance; the company’s 3rd hack this year appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Microsoft successfully hit by dependency hijacking again

Microsoft has once again been successfully hit by a dependency hijacking attack. This month, another researcher found an npm internal dependency, after squatting which, he began receiving messages from Microsoft’s servers. […] Source: Read More (BleepingComputer)

Read More

[HackerNews] Malicious NPM Package Caught Stealing Users’ Saved Passwords From Browsers

All posts, HackerNews

A software package available from the official NPM repository has been revealed to be actually a front for a tool that’s designed to steal saved passwords from the Chrome web browser. The package in question, named “nodejs_net_server” and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its […]

Read More

[ZDNet] After DOJ arrest of Latvian Trickbot coder, experts highlight public-private efforts to tackle cybercrime

All posts, ZDNet

The Justice Department and FBI worked with Microsoft and other companies to help slow down one of the most popular ransomware tools. Source: Read More (Latest topics for ZDNet in Security)

Read More