Cream Finance decentralized lending platform has been hacked, with attackers stealing more than $130 million worth of funds through a large flash loan attack.
PeckShield blockchain data analytic firm first identified the large flash loan transaction that the hackers used to exploit the Cream Finance platform.
The affected funds were mostly Cream liquidity provider tokens (Cream LP tokens) as well as other Ethereum-based tokens (ERC-20 tokens).
According to blockchain records, the hackers moved $92 million worth of funds into one address while $23 million into another address and also transferred other funds into other addresses. It now appears that the attackers have moved the funds to different wallets.
Following the incident, the price of Cream token plunged, from $152 to $111 in minutes, a 27% drop, according to CoinGecko.
According to the exploit transaction, the attacker left some strange message. They wrote, “gÃTµ Baave lucky, iron bank lucky, cream not. ydev : incest bad, don’t do.” This appears to refer to DeFi lending platforms Aave, Iron Bank, and Cream Finance.
This is the third time Cream Finance has faced a severe hack. In February, Cream Finance lost $37.5 million after hackers took advantage of a vulnerability in instant or flash credits technology.
In August, the primary decentralized finance protocol also lost $18.8 million after unknown hackers drained funds through flash loans exploits by introducing a reentrancy bug to the Amp token. After Cream Finance identified the incident during that time, it stated that the protocol stopped the exploit by pausing supply and borrowing contracts on the Amp token.
During that incident, PeckShield stated that the hacker exploited the Amp token by reborrowing assets during its transfer before updating the first to borrow in 17 separate transactions.
Calls for More Investor Protections
Flash loans allow users to borrow funds without collateral because the lender expects the money to be returned within one transaction block, immediately. However, hackers have used this loophole in DeFi to steal millions of dollars.
As reported by Blockchain.News in August, Poly Network DeFi protocol was attacked and hackers stole $600 million worth of funds from the protocol. This is considered the largest hack in DeFi and cryptocurrency history.
Decentralized Finance (DeFi), which is one of the use cases of blockchain technology, has been on the cusp of major growth. Regulators are aware of this growth and, of late, have been moving to act accordingly.
Frequent hacks like the abovementioned incidents have prompted regulators to call for better consumer protection in the DeFi sector.
In August, US SEC chairman Gary Gensler made it clear that regulation of DeFi platforms and stablecoins is on the SEC’s agenda. During that time, Gensler compared the use of DeFi to the Wild West, emphasizing it needs better investor protection.
Image source: Shutterstock