A lending-focused decentralized finance platform has lost millions of dollars’ worth of AMP tokens and crypto-currency after falling victim to a second flash loan attack.
In a flash loan attack, a cyber-thief takes out a loan that requires no collateral – a flash loan – and uses it to manipulate and exploit the markets for financial gain. The criminal uses the capital that they’ve borrowed and pays it back in the same transaction.
Cyber-thieves drained DeFi protocols Cream Finance and Alpha Finance of funds totaling $37.5m back in February. Now Cream Finance has lost millions of AMP tokens and more than a thousand ether worth over $25m in a similar smart-contract exploit.
The latest flash loan attack was first reported by PeckShield on social media on Monday. Researchers at the blockchain security firm became suspicious when they came across Ethereum (ETH) records revealing that at least $6m had been drained at 5:44 UTC.
The theft was confirmed by Cream Finance on Monday via a Tweet that read: "C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract."
The platform went on to say that they had "stopped the exploit by pausing supply and borrow on AMP" and that "no other markets were affected."
According to Coinspeaker, the flash loan attack occurred in the early morning of August 30. It may have involved two cyber-thieves and a total of seventeen transactions.
In May, DeFi yield farming aggregator and optimizer for Binance Smart Chan (BSC) and ETH, Pancakebunny, lost close to $3m in a flash loan attack.
Announcing the attack on Twitter, the company said: “Attention Bunny Fam. Our project has suffered a flash loan attack from an outside exploiter. We will be posting a postmortem, in-depth analysis, but for the time being, we would like to update the community as to how this happened.”
Around a week later, a flash loan attack on Binance Smart Chain DeFi project Bogged Finance saw $3m exploited.