Decentralized lending platform Cream Finance has once again been hacked. On Wednesday, a severe exploit occurred, with the attacker stealing approximately $130 million in funds.
According to Etherscan, an unknown person used a flash loan as part of a complex transaction. The commission exceeded 9 ETH ($36,879 at that time). The majority of the stolen assets are tokens of Cream Finance liquidity providers and other coins of the ERC-20 standard.
The hacker also left a message: “Baave lucky, iron bank lucky. cream not”. This probably applies to Aave, Iron Bank and Cream Finance projects.
Representatives of project studying the exploit
Thus, representatives of the project said that they are studying the exploit and will reveal details as they become available.
At the time of writing, the project token has lost 33.9% in the last hour, according to CoinGecko.
A blockchain security and data analytics company PeckShield reported that the attack became possible due to an error that “allows you to borrow all funds in current lending pools.”
Earlier in February, an unknown attacker took advantage of a vulnerability in the Iron Bank protocol (the second version of the Cream Finance project) and withdrew tokens totaling $37.5 million.
Recall that previously on August 30, Cream Finance was hacked through reentrancy on the AMP token contract. The damage amounted to 462,079,976 AMP and 2804 ETH (about $19 million). The protocol developers declared their readiness to independently compensate the victims for losses by deducting 20% of commission fees. Later on September 8, the hacker transferred most of the stolen amount of 5152.6 ETH to the multisig wallet of the project.
In early October, the developers of decentralized protocol confirmed that the project managed to return 5152.6 ETH. Cream Finance allowed hacker to leave 10% of the stolen funds. Approximately 515 ETH as a reward for the discovered error.