https://www.rekt.news/cream-rekt/
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract. We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
Cream Finance was audited by Trail of Bits (one of the few auditors absent from our leaderboard) on Jan 28th 2021.
However, even the strongest audit becomes irrelevant once the protocol is changed.
On Feb 10th 2021, the Cream proposal to add the AMP token came into effect, and the loophole opened up.
https://cointelegraph.com/news/bilaxy-exchange-suspends-website-after-erc-20-hot-wallet-hack
Hong Kong cryptocurrency exchange Bilaxy was the victim of a hack that compromised a hot wallet on its platform and saw the transfer of 295 ERC-20 tokens, worth more than $21 million, to a single wallet on Sunday (Aug. 29).
The Bilaxy hack is the 20th DeFi attack this month, according to the Investing.com report. (Referring to August, 2021)
On 29 August at 04:43 UTC, a vulnerability in our xSNX contract was exploited. We estimate the loss to holders at $4.5 million. We are incredibly disappointed in ourselves and deeply sorry to our community.
That the attacker was able to call the
callFunction
function was the source of the vulnerability. This function should only have been callable from dydx’s SoloMargin flashloan contract that we had integrated to improve fund performance on rebalances. An erroneous require statement allowed the function to be publicly callable.We mistakenly used
require(sender==address(this)
when we should have usedrequire(msg.sender==soloMarginAddress)
.