An anonymous reader quotes a report from The Record, written by Catalin Cimpanu: Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack. Cream Finance said the hacker used a “reentrancy attack” in its “flash loan” feature to steal 418,311,571 in AMP tokens (estimated at around $25.1 million at the time of the hack) and 1,308.09 in ETH coins (estimated at around $4.15 million). The term “flash loan” refers to a contract (script) that runs on the Etherium blockchain that allows Cream Finance users to take quick loans from the company’s funds and then return them at a later date.
Reentrancy attacks take place when a bug in these contracts allows an attacker to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined or the funds need to be returned. PeckShield and Tal Be’ery, the founder of cryptocurrency wallet app ZenGo, confirmed that the Cream Finance hacker exploited a bug in the ERC777 token contract interface that’s used by Cream Finance to interact with the underlying Etherium blockchain. Be’ery told The Record today that ERC777 has enabled several reentrancy attacks on DeFi online services, which keep relying on the feature despite its history of bad implementations, bugs, and hacks. The ZenGo founder also told The Record that DeFi services need to develop or implement a firewall-like system for their platforms in order to filter malicious requests to their underlying contracts, which are the backbone of their services and the targets of most of these hacks.
Read more of this story at Slashdot.