DeFi Protocol Cream Finance Loses $25M in Flash Loan Attack

Ethereum-based DeFi protocol, Cream Finance, has reportedly lost over $25 million to a flash loan attack. The protocol offers a lending and borrowing platform for users and had its Amp (AMP) token pools attacked in the early hours of Monday.

Hackers normally use flash loan attacks to exploit vulnerabilities in smart contracts. The nature of flash loans allows for borrowing, exploiting, and payback of funds to be wrapped into a single transaction, making it economically cheaper for the attacker.

The flash loan alert was initially flagged by the blockchain security company Peckshield before Cream Finance subsequently confirmed the incident and also the amount that the hacker made away with.

Investigations with Peckshield revealed that the incident exploited a “_callPreTransferHooks for reentrancy” on the AMP token contract.

The amount stolen in AMP tokens is worth roughly $21 million at the current market price, while the 1308 ETH is worth around $4 million. This is the second high-profile attack suffered by Cream Finance this year, as the project also lost $34 million in February.

As one would expect, the price of CREAM and AMP has dropped sharply in the aftermath of the exploit. Both tokens are down by roughly 13% and 10% respectively.

AMP token (1-day chart)

CREAM token (1-day chart)







The Cream Finance protocol has $1.2 billion in total value (TVL) locked and is also live on Binance Smart Chain, Polygon, and Factom. According to the data tracking site, DeFilLama, Cream is the 17th largest DeFi protocol by TVL in the Ethereum ecosystem.