C.R.E.A.M. Finance, a Taipei-based decentralized lending platform for individuals, institutions and protocols to access financial services, has suffered a flash loan exploit that led to a loss of about US$28 million, underlining the potential vulnerabilities of decentralized finance mechanisms.

Fast facts

  • C.R.E.A.M. tweeted on Monday that its market on Ethereum suffered an exploit, “resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.” That loss was equivalent to about US$28 million at the time of writing.
  • C.R.E.A.M. said it has “stopped the exploit by pausing supply and borrow on AMP” and that no other markets were affected.
  • According to a preliminary investigation from crypto security firm PeckShield, the hacker made a flash loan of 500 ETH and deposited the funds as collateral.
  • A flash loan allows borrowers access to assets as long as they are returned within one block transaction. If they are not returned, a smart contract reverses the transaction.
  • This is not the first time that C.R.E.A.M. suffered an exploit. In February, it faced an exploit where hackers used DeFi protocol Alpha Finance.
  • Also this month, Japanese crypto exchange Liquid suffered a lost of over US$90 million dollars in an attack, which siphoned Bitcoin, Ethereum, Tron and XRP tokens from the exchange. Liquid obtained a US$120 million loan from fellow exchange FTX to cover losses.