Hackers have stolen more than $29 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform.
C.R.E.A.M. Finance is a decentralized lending protocol for individuals, institutions and protocols to access financial services. It promises earnings to users who are passively holding ETH or wBTC.
The company has confirmed about the security breach via Twitter.
The attack as first spotted by the blockchain security firm PeckShield who had published a series of Tweets containing evidence of the security breach.
According to Cream Finance, attackers conducted “reentrancy attack” in its “flash loan” feature to steal 418,311,571 in AMP tokens and 1,308.09 in ETH coins.
The finance platform stated that the AMP token contract implements ERC77-based ERC1820, which has the _callPreTransferHooks for reentrancy.
Reentrancy attacks consist of withdrawing funds repeatedly before the original transaction is approved or declined.
According to PeckShield the attackers exploited a bug in the ERC777 token contract interface implemented by Cream Finance to interact with the Etherium blockchain.
Cream is now working with law enforcement to try and trace the attacker. The organization has paused AMP supply and borrow functions until a patch can be deployed. The stolen ETH and AMP will be replaced, with 20% of protocol fees now earmarked to repay customers.