Cream Finance Deprived of over $29 million in Cryptocurrency Assets
Exploiting the Flash Loan Hackers Were Able to Perform a Reentrancy Attack.
The DeFi platform (decentralized finance) Cream Finance confirmed yesterday a massive crypto theft. More exactly, hackers stole more than $29 million in cryptocurrency assets from the company. Patterns of the attack had been identified not less than half an hour before their confirmation by PeckShield security enterprise who had been starting to monitor it and announced this on Twitter.
$29 Million in Cryptocurrency Assets Theft: Characteristics of the Cyberattack
As the company described, the hacker’s methods were based upon a flash loan “reentrancy attack”. A flash loan is basically a loan facilitating script or contract. It runs on the Etherium blockchain. What it does is that it permits users to borrow money that will be returned later to the company.
And here’s how a reentrancy attack might happen. A bug is identified in the above-mentioned flash loan (in the contract) and a hacker starts to exploit it. What he can do is to perform fund withdrawal in a row and he does this before the original transaction approval.
$29 million in Cryptocurrency Assets Theft: What Experts Said
According to theRecord., the ones who addressed this matter were PeckShield and Tal Be’ery. The latter, who founded the ZenGo cryptocurrency wallet, confirmed the exploitation of ERC777 token contract vulnerability. This bug facilitates various reentrancy attacks targeting online DEFI services. ERC777 interface works with the underlying Etherium blockchain.
Since underlying contracts are basically the core features DEFI systems base upon, Tal Be’ery stressed the importance of a firewall system implementation.
#Defi needs an Application Firewall. The attack involved 17 Txs. If there was a solution to automatically identify such exploitation and close some safety valve to halt the system, then the damage would have been 1/17 < 6% or only ~1M instead of ~18M.
What Are the Stolen Sums?
Through this reentrancy attack, it’s claimed that the hacker managed to stole no less than 418,311,571 in AMP tokens and ETH coins worth up to 1,308.09. At the time of the attack, the first one was equivalent to $25.1 million and the second cryptocurrency assets were worth $4.15 million.
As per a CipherTracer’s report, Defi systems have been victims of various attacks in 2021 counting 76% cyberattacks. The sums lost in these malicious attacks rose to $474 million. The same experts discovered that flash loans were targeted in the majority of them.