Reentrancy attack siphoned off millions
CREAM Finance, a decentralized loan platform, lost at least $18m in cryptocurrency on Monday to an unidentified thief. The biz’s name stands for Crypto Rules Everything Around Me, which evidently overstates the lending operation’s control over its funds. “CREAM v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the Amp token contract,” the company said via Twitter, adding that it had blocked the exploit by pausing supply and borrow contracts for the AMP token. Currently, those values translate to about $23m in AMP and $4.4m in ETH but prices have been fluctuating. PeckShield, a security firm that has been looking into the incident, estimated the theft at $18.8m. Taiwan-based CREAM Finance, not to be confused with Latvia-based Cream Finance, offers loans. One way it does so is through ” Flash Loans.” Flash Loans, the company explains in its documentation, provide those developing smart contracts with brief access to “undercollateralized loans” – the borrowed amount and a fee must be returned within one blockchain transaction block ( about 15 seconds).
