Cream Finance has suffered yet another flash loan attack. The Ethereum-powered decentralised finance project had $100 million stolen by an attacker, who has not yet been identified.
Blockchain analytics and security firm PeckShield were the first to flag the attacker’s address. Cream finance have since confirmed that they are investigating an exploit on CREAM v1 on Ethereum and that they will share updates as soon as they are available.
After releasing the news, the price of CREAM dropped. It now trades at $111.61, dropping almost 30% in an hour.
This is not the first attack that the project has experienced. In August, the firm was the victim of another flash loan attack in which $25 million was stolen.
The latest attack has not gone down well in the crypto space. Many traders are now expressing their concerns over trading CREAM, saying that two attacks in such a short time period is down to more than a simple mistake.
One Twitter user, @skinnvaesten, wrote “How about not using CREAM at all. First exploit, it’s okay, mistakes happen. Second exploit, uh buddy, didn’t you learn the first time? Third exploit, severe incompetence, do not use Cream.”
Another user wrote, “Looks like @creamdotfinance is dead boys”, implicating the downfall of the firm after the attack.
A flash attack
The devastating exploit that occurred on Wednesday drained over $1 billion in funds, making it one of the largest DeFi exploits to date. According to Cream’s frontend, most Ethereum pools are now completely empty.
The funds appear to have been taken in a flash loan in a complex transaction that involved 68 different assets and cost the attacker 9 ETH in gas. The attacker’s contract now holds $92 million in crypto assets and the creator’s address holds a further $22 million.
The attacker is now using a number of privacy-preserving mixing services to ‘wash’ the funds. Further details are yet to be announced.