Lending and borrowing platform Cream Finance has been involved in a large, multi-million dollar exploit. The attacker has made off with more than 418 million in Flexa Network's native token, AMP, and 1,308 Ethereum

The total sum amounts to $25,678,948, but the price of AMP has already fallen more than 15% at press time, according to CoinGecko. Cream Finance's native CREAM token is also down nearly 6%

The attacker’s address indicates that they currently have $18.8 million. 

The Cream Finance team has stopped further losses by “pausing supply and borrow on AMP,” adding that "no other markets were affected." 

PeckShield, a crypto-security firm, explained that the hacker was able to make a 500 Ethereum flash loan which was used to exploit a “reentrancy bug" that was made available after Cream integrated the AMP token. Flash loans are undercollateralized loans that are borrowed and returned within the same transaction.

Because AMP tokens are ERC-777 standard rather than the more common ERC-20, AMP's token contract uses a slightly different code, according to a post-mortem of the attack.

Cream Finance is a decentralized finance (DeFi) platform that lets users earn interest on their idle cryptocurrencies. Unlike Platforms like Aave or Compound, Cream has many more markets for many more esoteric cryptocurrencies. Cream is a fork of the Compound code base. 

In February this year, Cream was involved in another hack. At that time, an exploit of Alpha Finance was the root cause of the attack, which ultimately resulted in the loss of $37.5 million.

Cream Finance joins list of DeFi hacks

The emergent DeFi space has made headline after headline following major exploits similar to today. Earlier this month, blockchain analytics company CipherTrace reported that a total of $474 million had been lost via DeFi hacks and fraud.

Hours after that report emerged, Poly Network, an interoperability protocol meant to bridge Ethereum, Polygon, and Binance Smart Chain, suffered a record-breaking hack of $600.3 million.

Despite these heady figures, the exploits continue to roll in.  "The crux of the problem lies not in platforms giving out the flash loans," wrote CipherTrace in their report, "but the unaudited smart contracts the loans are sent to and exploited."

Editor's Note [August 30, 2021, at 4:45 am EST]: This article has been updated to show that Flexa Network's native token, AMP, was involved in the exploit, not Ampleforth's token AMPL. 

Editor's Note [September 1, 2021, at 8 am EST]: This article has been updated to make clearer that the exploit was due to the way the AMP token was integrated with Cream Finance rather than a bug in the Flexa Network.