Decentralized finance (DeFi) lending platform CREAM Finance addressed the recent exploit it experienced, providing a ‘postmortem’ in a recent blog post.
First, CREAM assured its community and partners that it had stopped the exploit. The lending platform also added that it was working with authorities to trace the attacker and had created a plan to restore the lost funds.
AMP exploit
Earlier this week, CREAM Finance lost $25 million in a flash loan attack, the second in the past half year. Blockchain security company PeckShield Inc. first broke the news on Twitter, citing data from Etherscan, which CREAM confirmed shortly thereafter.
In its postmortem, CREAM went into further detail about what occurred. At roughly noon on August 31, attackers exploited the platform for 462,079,976 in AMP tokens and 2,804.96 ETH tokens. CREAM said it would replace the stolen ETH and AMP, so as to preclude any liquidity issues for users. It also committed to allocating 20% of all protocol fees toward repayment.
CREAM reported that there was a main initial exploit, in addition to a smaller copycat. However, the copy-cat exploit address has withdrawal history with Binance. Accordingly, CREAM is working with the exchange to identify the perpetrator. The report added that they would forward all relevant information law enforcement authorities. It also expressed its intent to “prosecute to the fullest extent of the law.”
Additionally, CREAM added that it would provide a bounty if someone can identify or provide information leading to the arrest of the exploiter. If the exploiter is successfully arrested and prosecuted, CREAM said it would share 50% of the funds returned as a reward.
CREAM also invited the exploiter to return the funds in return for keeping 10% as a bug bounty. With the assistance of PeckShield, CREAM determined that the root cause of the exploit was an error in the way it integrated AMP into its protocol.