An estimated $130 million worth of cryptocurrency assets have been stolen from Cream Finance, a decentralized finance (DeFi) platform that allows users to finance and speculate on cryptocurrency price fluctuations.
On October 27th at 13:54UTC, our Ethereum C.R.E.A.M. v1 lending market was attacked. The attacker used this wallet (https://etherscan.io/address/0x24354d31bc9d90f62fe5f2454709c32049cf866b) to move a total of approximately US$130 million worth of tokens from this market. Other markets were not affected.
This incident was detected by blockchain security firms PeckShield and SlowMist and confirmed by the Cream Finance team.
BlockSec, a blockchain security firm, said it believes the attackers discovered a vulnerability in the platform’s lending system (called flash-loaning) and used it to steal all of Cream’s assets and tokens running on the Ethereum blockchain. BlockSec also posted an explanation of the security flaw on Twitter.
Approximately six hours after the attack, Cream Finance, with the help of cryptocurrency platform Yearn, said it had fixed the bug exploited in the hack.
Even if the attacker’s first wallet, which was used to drain the bulk of the funds, is identified, the funds have already been transferred to a new account and it seems unlikely that the stolen crypto can be traced back to the platform.
This is the third time that Cream Finance has been hacked, after losing $37 million in February and $29 million in August.
All of the attacks exploited flash loans, a common method by which most DeFi platforms have been hacked over the past two years.
DeFi-related hacks accounted for 76 percent of all major hacks in 2021, and users lost more than $474 million from attacks on the DeFi platform in 2021, CipherTrace said in an August report.
Similarly, the DeFi hack accounted for 21% of all cryptocurrency hacks and stolen funds in 2020, after being almost non-existent in 2019, according to the report.
It was also the second biggest cryptocurrency hack of the year, occurring after hackers stole $600 million from DeFi platform Poly Network in August.
But the person who hacked Poly eventually returned all the stolen funds two weeks later with the promise that the company would not seek prosecution.
Comments