CREAM Finance Flash Loan Hack - August 30, 2021
Overview
On August 30, 2021, decentralized lending protocol CREAM Finance was the victim of a flash loan hack. An unknown hacker managed to gain $18.8 million in the flash loan exploit through a reentrancy bug introduced by the AMP token.
Attack Details
The attackers stole 2,804.96 ETH and 462,079,976 AMP tokens from the protocol's vaults. There were two attackers behind the exploit that carried out the heist in 17 transactions.
Technical Mechanism
The attacker exploited a reentrancy vulnerability that arose from how CREAM integrated AMP into its protocol. The AMP protocol implements the ERC-777 token standard, which creates the potential for reentrancy. The
_callPostTransfersHook hook within the AMP contract calls the tokensReceived() fallback function within the calling smart contract. This hook is executed as part of the borrowing process and allows the attacker to execute code before that initial borrow is completed. The attacker's smart contract's tokensReceived function includes a second call to the borrow() function. Since this call occurs before the AMP contract updates its state from the initial borrow, the attacker is able to borrow more assets than they would have otherwise.Response
Cream Finance stopped the exploit by pausing supply and borrow contracts on the AMP token, with no other markets affected.
Sources