Cream Finance, a decentralized finance (DeFi) lending protocol, suffered its second flash loan attack this year, with the perpetrators draining more than $25 million.
- The attack was first reported by PeckShield in a tweet early on Monday. The blockchain security firm pointed to Ethereum records showing at least $6 million were drained at 5:44 UTC.
- The root cause of the incident was lending of AMP tokens, Cream Finance Product Manager Eason Wu said on Discord. Other assets on Cream are secure, he said.
- AMP token contracts allowed for a reentrancy attack, the same type of exploit used in the infamous DAO hack.
- Flash loan attacks take advantage of one of DeFi’s most controversial features: loans that do not require collateral.
- Cream Finance lost $37 million in the attack earlier this year.
UPDATE (AUG. 30, 9:13 UTC): Updates value, adds details from Cream Finance tweet.
UPDATE (AUG. 30, 10:22 UTC) Adds updated estimate from PeckShield.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.