DeFi Lending Protocol Cream Finance has fallen victim to a flash-loan attack losing the protocol $25 million during the attack.
Blockchain security firm Peckshield discovered the attack
Cream Finance (CREAM), a project described as a decentralized DeFi lending protocol for individuals, was exploited using a flash loan. According to initial statements, the attack resulted in a loss of $18 million, but this was because the price of AMP dropped 15%. During the attack itself, around $25 million of AMP was stolen.
The Chinese journalist Wu Blockchain reported that two attackers carried out the exploit with a total of 17 transactions and Cream finance confirmed the attack on their Twitter stating that they have stopped the exploit by pausing supply and borrow on AMP.
Blockchain security firm Peckshield was the first to discover the attack and alerted the DeFi Protocol about it. They said they found the cause of the attacks and asked Cream Finance to contact them for more details. Later the firm explained that the hacker was able to make a 500 Ethereum flash loan using an exploit found in the Ampleforth smart contract.
The second time that Cream Finance was exploited
The project was also exploited on February 13 and lost $37.5 million. The attacker managed to manipulate the liquidity in the original pool at Homora Bank and ended up borrowing large amounts of WETH, USDC, USDT and DAI from the Iron Bank. They repeated the process and flash loans until they captured over $37 million directly from the protocol.
At the time of writing, CREAM is trading at $166.69, and it is possible that the price could fall even further as the news spreads. CREAM has lost about 5% in value in the last 24 hours which is likely caused by the attack.