30億円相当の仮想通貨をハッカーがDeFiプラットフォームから盗み出す、同様事例の被害額は520億円超に

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance ???? (@CreamdotFinance) August 30, 2021

1/4 @CreamFinance was exploited in (one hack tx: https://t.co/JPW7e368qd), leading to the gain of ~$18.8M for the hacker.

— PeckShield Inc. (@peckshield) August 30, 2021

2/4 The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow. pic.twitter.com/oVg0w1FWFt

— PeckShield Inc. (@peckshield) August 30, 2021

3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ

— PeckShield Inc. (@peckshield) August 30, 2021