Decentralized lending platform Cream Finance appears to have suffered a severe exploit on Wednesday, with an attacker stealing over $100 million worth of funds through a large flash loan attack.
Blockchain data analytics company PeckShield first identified the flash loan on Wednesday. The compromised funds were mainly Cream liquidity provider tokens, as well as other Ethereum-based tokens.
During a flash loan attack, an attacker exploits vulnerable smart contracts in order to create their own arbitrage opportunity. Typically, this is done by modifying the relative value of a trading pair by flooding the contract using their loaned tokens.
Cream Finance has been routinely targeted by attackers, as evidenced by the $19-million flash loan hack of the protocol in August. As Cointelegraph reported at the time, the attack was facilitated by a reentrancy bug introduced by the Amp cryptocurrency, an Ethereum-based token designed to collateralize digital payments on Flexa. At the time of writing, Cream's total value locked (TVL) was worth over $1.5 billion, according to industry sources.
Cream Finance’s forums appear to have been pulled in the wake of the attack, though the protocol did notify its Twitter followers that the flash loan is being investigated. The Twitter thread is filled with angry responses about Cream’s poor track record when it comes to safeguarding user funds.
While decentralized finance, or DeFi, has been lauded for revolutionizing traditional finance and promoting financial inclusion, the industry’s track record regarding consumer protection has been shoddy. A comprehensive list of DeFi attacks reveals 63 exploits as of Sept. 16, with the lost funds totaling roughly $1.2 billion, according to CryptoSec. The latest exploit of Cream Finance would be one of the largest.
The value of Cream Finance’s CREAM token crashed amid the news, falling more than 26% to $115.47, according to Cointelegraph Markets Pro.