The decentralized finance (DeFi) lending protocol Cream Finance (CREAM) suffered a hack that led to the loss of about $26 million in Ethereum (ETH) and AMP tokens.
Cream Finance says the platform lost 418,311,571 AMP, currently valued at $22.1 million, and 1,308 ETH, currently valued at $4.42 million, on Tuesday “by way of reentrancy on the AMP token contract.” At the time of the hack, the crypto was worth about $18 million.
The platform paused supply and borrow on AMP to stop the exploit. AMP is a crypto asset used as collateral for stablecoin payments.
The blockchain security firm PeckShield first spotted and analyzed the hack.
“The hack is made possible due to a reentrancy bug introduced by AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow.
Specifically, in the example [transaction], the hacker makes a flash loan of 500 ETH and deposit the funds as collateral.