Reentrancy attack siphoned off millions
CREAM Finance, a decentralized loan platform, lost at least $18m in cryptocurrency on Monday to an unidentified thief. The biz’s name stands for Crypto Rules Everything Around Me, which evidently overstates the lending operation’s control over its funds. « CREAM v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the Amp token contract, » the company said via Twitter, adding that it had blocked the exploit by pausing supply and borrow contracts for the AMP token. Currently, those values translate to about $23m in AMP and $4.4m in ETH but prices have been fluctuating. PeckShield, a security firm that has been looking into the incident, estimated the theft at $18.8m. Taiwan-based CREAM Finance, not to be confused with Latvia-based Cream Finance, offers loans. One way it does so is through » Flash Loans. » Flash Loans, the company explains in its documentation, provide those developing smart contracts with brief access to « undercollateralized loans » – the borrowed amount and a fee must be returned within one blockchain transaction block ( about 15 seconds).
