$19 Million Cream Finance Flash Loan Attack
The Intelligent Insurer #33 - DeFi hacker makes loot untraceable using privacy protocol
On August 30th, a hacker gained access into the Cream Finance platform by exploiting a reentrancy bug, stealing almost $19 million across multiple transactions. The hacker reportedly returned $17.6 million of the $19 million stolen in ETH and AMP.
Security company Peckshield reported the funds’ return but failed to discover the motive behind the attacker’s actions. Interestingly, the part of the funds that the attacker did not return was made untraceable as the funds were put through the privacy mixer Tornado Cash to obfuscate the origin.
In the latest Intelligent Insurer, we highlight the details of the hack and what followed. We also analyze the portion of the stolen funds that the hacker did not return and consider how this could impact investor confidence in the decentralized finance (DeFi) industry.
Insured Finance Development Roundup
Our frontend has been deployed on the Mumbai testnet. Anyone can experience the sublime user interface of our upcoming marketplace through the link here. Visitors can connect their wallet and easily navigate through the marketplace before our upcoming alpha launch. A Testnet INFI token will be distributed to holders shortly which will allow holders to fully experience the two-sided marketplace on the Mumbai testnet. This Testnet INFI token is purely for testing the platform. We’ll release a proper “how to” for the platform early next week. Some development points include:
Our token bridge is live on the front end which will allow users to transition their INFI tokens between different test environments
We are working through issues related to smart contract and subgraph deployments. Our audits and updates to these deployments will ensure that the marketplace environment is fully secure and bug-free.
We also continue to monitor both our front and backend experience, performance, and security infrastructure.
All of the above are major milestones on our journey to the alpha launch of the two-sided insurance marketplace. It’s an extremely exciting stage in the development of Insured Finance as users are now starting to experience the intuitive interface and seamless navigational experience of the upcoming marketplace.
$19 million flash loan attack on Cream Finance
The $19 million Cream Finance exploit was centred on a flash loan exploit. During the attack, the hacker withdrew 2,804.96 ETH and 462,079,976 AMP tokens from the platform before the project team stepped in to stop the exploit. Not long after the hack, the hacker traded the AMP tokens for ETH, resulting in a total of 5,758 ETH stolen.
Flash loans were designed to enable a speedy and uncollateralized lending system. Flash loans allow DeFi users to borrow capital from decentralized protocols under the conditions that it is returned within the same block. If the capital is not returned, the transaction is excluded from the block that initially processed the borrowing. Unfortunately, hackers have devised ways of exploiting the system, leading to the execution of multiple unauthorized withdrawals if not stopped quickly. Several recent exploits have focused on this weakness.
In Cream Finance’s case, a reentrancy bug was the loophole exploited by the hacker. This enabled the execution of multiple “high-value flash loans” and the hacker moved the funds from the smart contract to an individual wallet. After 8 days, 90% of the funds were returned to Cream Finance with the remaining 20% obfuscated by the hacker.
The remaining 20% was obfuscated using Tornado Cash, a protocol that uses smart contracts to enforce transaction privacy. Onchain data shows that 606 ETH was transferred using Tornado Cash. This protocol breaks the on-chain link between the interacting addresses, thereby obfuscating transactions and making them untraceable.
(Source: Nansen.ai)
This is not the first brush Cream Finance has had with security. Although this is the first major exploit, a bug on the protocol was almost exploited earlier this year.
However, a white hacker discovered the bug and disclosed it before it could be exploited. The bug would have allowed hackers to drain roughly $100K worth of funds from the project if it was left unaddressed.
The bug was discovered by Azeem, the co-founder of Amor, less than 2 months into a bug bounty program launched by Cream Finance. Azeem was rewarded roughly $20K for discovering the bug.
Crypto users must prepare against potential DeFi hacks
Given that Cream Finance is a major DeFi protocol, it’s previous close call and the current exploit certainly raise concerns regarding the state of security in the DeFi world. Due to the use of Tornado Cash, the remaining funds that were stolen are unlikely to be returned. Some investors who held their capital in Cream Finance may suffer irreversible exploits. Hacks such as these highlight bugs within the system that lead to investor jitters.
For adequate protection from such losses, users are turning to insurance solutions like Insured Finance. For instance, Cream Finance users who had digital asset insurance would be eligible for compensation. Insured Finance allows investors to secure tailored insurance, and cover risks such as exchange hacks, rug pulls, and stablecoin failures.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Insured Finance users can request customized insurance on a wide variety of digital assets. Those that fulfill requests earn premiums and can earn a competitive return on their capital. Claims are fully collateralized and settled instantly.