Decentralized lending platform Cream Finance appears to have suffered a severe exploit on Wednesday, with an attacker stealing over $100 million worth of funds through a large flash loan attack.
Blockchain data analytics company PeckShield first identified the flash loan on Wednesday. The compromised funds were mainly Cream liquidity provider tokens, as well as other Ethereum-based tokens.
— PeckShield Inc. (@peckshield) October 27, 2021
During a flash loan attack, an attacker exploits vulnerable smart contracts in order to create their own arbitrage opportunity. Typically, this is done by modifying the relative value of a trading pair by flooding the contract using their loaned tokens.
Cream Finance has been routinely targeted by attackers, as evidenced by the $19 million flash loan hack of the protocol in August. As Cointelegraph reported at the time, the attack was facilitated by a reentrancy bug introduced by the Amp cryptocurrency, an Ethereum-based token designed to collateralize digital payments on Flexa.
Cream Finance forums appear to have been pulled in the wake of the attack, though the protocol did notify its Twitter followers that the flash loan is being investigated. The Twitter feed is filled with angry responses about Cream’s poor track record safeguarding user funds.
We are investigating an exploit on C.R.E.A.M. v1 on Ethereum and will share updates as soon as they are available.
— Cream Finance (@CreamdotFinance) October 27, 2021
Related: Hackers exploit MFA flaw to steal from 6,000 Coinbase customers — Report
While DeFi has been lauded for revolutionizing traditional finance and promoting financial inclusion, the industry’s track record in consumer protection has been shoddy. A comprehensive list of DeFi attacks reveals 63 exploits as of Sept. 16, with the lost funds totaling roughly $1.2 billion, according to CryptoSec. The latest exploit of Cream Finance would be one of the largest.