CREAM attack results in theft of $ 37.5 million

Flash loan exploitation results in the theft of $ 37.5 million.

CREAM token loses 40% with a spate of sales after the incident.

Alpha Labs announced that the issue is resolved

Decentralized finance has come a long way in the past year, with new and innovative features that are constantly evolving and adapting to new projects and contracts. However, exploitations of vulnerabilities still occur, as we saw this February 13.

This Saturday, February 13, the popular CREAM project suffered a huge flash loan exploitation of $ 37.5 million. The team announced the attack while the situation is still developing, saying they were working on a post-mortem report through relevant parties.

It appears that the exploitation took place using Alpha Homora by borrowing sUSD from IronBank.

Although the operator has managed to continuously loan double the funds, it appears that he pocketed 13,200 WETH, 3.6 million USDC, 5.6 million USDT and 4.2 million DAI .

The Block research analyst Igor Igamberdiev detailed on Twitter the process and how it happened:

It is believed that Alpha Labs fixed the problem. While the funds were mined through Alpha Hamora, an Ethereum protocol to profit from your position in yield growing pools, the funds were borrowed by the exploiter.

Alpha Labs has since said they are working with YFI founder Andre Cronje and CREAM Finance to investigate the stolen funds. They claim that a prime suspect has already been identified.

CREAM dives after the attack

Following the exploit on Alpha Hamora, CREAM saw its price drop by 40%. The went from $ 285 to $ 173.

The price of CREAM fell 40% as a result of the exploit. Source: Tradingview
As one of the deployers, the price suffered a dramatic drop before seeing some recovery. The CREAM team announced that everything is working normally. The team has relaunched the markets, and a post mortem will follow.

”CREAM’s contracts and markets were investigated which revealed that everything was functioning normally. The markets have been reactivated in both versions, V1 and V2.

This hack took place as the number of attacks rises with Bitcoin’s bull cycle. On January 26, a hacker exploited a system vulnerability on SushiSwap using the DIGG token of the Badger DAO. The hacker fled with 81 ETH, worth approximately $ 103,842 at the time.

admin