C.R.E.A.M. Finance, a Taipei-based decentralized lending platform for individuals, institutions and protocols to access financial services, will be replacing the stolen cryptocurrencies to make sure there’s no liquidity issue for its users, after the platform saw an exploit that resulted in tens of millions of dollars in losses.
C.R.E.A.M. suffered a flash loan exploit earlier this week. It said in a post-mortem post that on Tuesday it was exploited for 462,079,976 in AMP tokens — Flexa Network’s native tokens — and 2,804.96 ETH tokens, which is much more than its preliminary estimates of 418,311,571 in AMP and 1,308.09 in ETH.
The loss was equivalent to about US$35 million at press time.
The DeFi platform said it suffered from a main exploit as well as a copycat exploit from an address that has a withdrawal history from Binance — the world’s largest cryptocurrency exchange by trading value. C.R.E.A.M. said it had been working with Binance to identify the second perpetrator.
Soon after the exploit took place, the company paused the AMP supply and borrow functions. It said in the post that it will re-enable the AMP market when a patch can be safely deployed.
Notably, C.R.E.A.M. says it will replace the stolen tokens. “We will commit to allocating 20% of all protocol fees toward repayment until this debt is fully paid,” it said in the post, adding that it will post a collateral with the Flexa team to secure the debt.
The company also said if the main exploiter is willing to return the stolen funds, “we will honor our normal 10% bug bounty and allow the exploiter to keep 10% of the funds as a bug bounty.”
If someone helps identify and offer information leading to the arrest and prosecution of the hacker, C.R.E.A.M. has pledged to share 50% of all funds returned, according to the post.
“We will learn from this exploit and use it as an opportunity to further strengthen the C.R.E.A.M. protocol,” the team said in the post. “While certainly a setback, we remain driven in our mission to bring capital efficiency (to) decentralized lending markets, fulfilling the financial needs of individuals, institutions and protocols.”
This is not the first time that C.R.E.A.M. got involved in an exploit, but the first time for it was directly exploited. In February, it faced an exploit where hackers used DeFi protocol Alpha Finance.
Just earlier this month, another DeFi platform, Poly Network, suffered a US$600 million hack, though the hacker later returned the stolen assets. Also this month, Japanese crypto exchange Liquid suffered a loss of over US$90 million in an attack, which siphoned Bitcoin, Ethereum, Tron and XRP tokens from the exchange. Liquid obtained a US$120 million loan from fellow exchange FTX to cover losses.