Posted on October 28, 2021 at 4:43 PM
DeFi Protocol Cream Finance has suffered another hacking incident, making it the third time the platform has been attacked this year.
This time, the hackers stole $130 million, as detected by blockchain security firms SlowMist and PeckShield. The attack has also been confirmed by Cream Finance.
Hackers Exploited A Vulnerability In The Flash Loaning System
According to reports, the hackers found some loopholes in the lending system of the platform, giving them unauthorized access to the flash loaning system. Once they got access to the platform, the hackers stole all the assets and tokens running on Cream Finance’s Ethereum blockchain.
Cream Finance is a DeFi protocol that enables users to loan and speculate on crypto price variations.
Blocks, a blockchain security firm, explained the vulnerability on Twitter, showing how the hackers were able to exploit the flaw. A few hours after the hacking incident, Cream Finance announced that the flaw has been patched.
The wallets used in transferring the looted funds have been discovered. However, it will still be very difficult to get them back the funds because they have been moved to new accounts. This means there is only a small chance of the crypto funds being tracked down and sent back to the platform.
The flash loan attack cost about 9 ETH in gas and involved about 68 different assets. As of press time, $22 million worth of the stolen tokens is held in the contract creator’s address while the attackers hold $92 million worth of different tokens stolen from the platform.
Hackers Keep Finding Loopholes In Cream Finance’s System
As mentioned earlier, this isn’t the first time Cream Finance has been attacked. It’s actually the third time this year.
The first attack was in February when threat actors stole $37.5 million in a flash loan attack. Shortly after the attack, the company’s token, CREAM, lost 30% of its value.
Six months later, Cream Finance became the victim of a multi-million dollar hacking exploit. This time, the attackers stole 1,300 Ethereum and more than 418 million AMP, the native token of Flexa Network. At that time, the total worth of the second hack was valued at roughly $29 million.
Apart from the loss of tokens in the recent attack, CREAM has also shed its price by 28%, trading at $113.63 at the time of writing.
The latest attack on Cream Finance goes to prove that threat actors have intensified their efforts to launch attacks on DeFi platforms. So, Cream is not alone in this problem, as other platforms have had their fair share of attacks.
In August, it was the turn of interoperability DeFi protocol Poly Network to suffer an attack. Reports at the time noted that the protocol lost $600 million in the attack, making it the largest attack any platform has suffered in the industry.
These types of attacks and their frequencies have led people to call for more security and protection of investors’ funds. Gary Gensler, Chair of the Securities and Exchange Commission (SEC) recently pointed out that there is a need for more consumer protection in the DeFi and Crypto industry.
He said there is a need for stronger consumer protection if stakeholders want the Decentralized Finance space to grow.
“There’s a lot of lending going on. ….And without protection, I fear that it’s going to end poorly,” Gensler stated.
The Recent Rise In Defi Related Hacks
All the hacks Cream Finance suffered were flash loan attacks, which have been the most popular hacking methods on DeFi platforms for the past two years.
Hacking incidences related to DeFi have accounted for 76% of all major hacking incidences this year. In August, Ciphertrace reported that users have already lost about $474 million due to attacks on DeFi platforms this year. The amount is now over $500 million if the most recent attacks are included.
Last year, CipherTrace also reported that attacks on DeFi platforms made up about 21% of all the cryptocurrency hacks in 2020. Before then, hacking incidences on DeFi platforms were almost nonexistent.
The latest hack on Cream Finance is the second largest crypto hack this year after the $600 million Poly Network hack. But the hacker responsible for the Poly Network hack returned all the stolen funds after getting assurance they will not be charged for the incident.
As of press time, no information has been received from the Cream Finance hackers.