Cream Finance losses $25 million in another security breach

TL;DR Breakdown Cream Finance has suffered another security breach that drained about $25 million in AMP and ETH.The incident was a result of a “reentrancy bug” on AMP token contract. For the second time in six months, popular decentralized lending protocol Cream Finance has suffered another attack due to a “reentrancy bug,” according to blockchain security and data analytics company, PeckShield. The protocol’s development team confirmed the incident on Twitter, noting that AMP tokens and Ether (ETH) were lost.  Cream Finance attack In what PeckShield addressed as a flash loan attack, the CREAM v1 market on the Ethereum blockchain was exploited early today due to a reentrancy bug on AMP token contract. The hacker exploited the bug to “re-borrow assets during its transfer before updating the first borrow.” 3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ— PeckShield Inc. (@peckshield) August 30, 2021 Cream Finance confirmed this, saying that the hacker stole 418,311,571 in AMP and 1,308.09 in ETH, which is estimated to be around $25 million. Meanwhile, the Cream team said they have suspended supply and borrow on AMP, to sto...