On August 30, 2021, according to news from the SlowMist Zone, the decentralized lending protocol Cream Finance suffered flashloan attack and lost approximately US$18 million. The SlowMist security team immediately intervened in the analysis and shared the brief analysis results as follows.
Analysis
1. The attacker borrowed 500 ETH from Uniswap flashloan;
2. Stake 500 ETH into the crETH contract to obtain crETH certificate;
3. Loan 19,480,000 AMP from crAMP contract;
- -> When lending, the cToken contract will first transfer AMP tokens to the attacker through the doTransferOut function, and then record the attacker’s loan amount to accountBorrows; and then record the amount of borrowing of the attacker into accountBorrows.
- -> But the transfer function of AMP tokens will call back the tokensReceived function of the attacker contract via the hook (_callPostTransferHooks) function;
- -> The attacker contract called the crETH contract again in the tokensReceived function, borrowing 355 ETH;
- ->The first loan contract is the crAMP contract, and the second reentry call is the crETH contract, the nonReentrant modifier of the borrow function does not work;
- -> And the borrow function is a borrowing record (accountBorrows) that is modified after transferring money to the user, causing the attacker to make excess borrowing;
4. Then the attacker uses another contract (0x0ec3) to liquidate the contract (0x38c4) that has been liquidated so that the transaction will not fail due to excessive borrowing;
5. Later, the attack contract (0x38c4) transferred the crETH certificate to the 0x0ec3 contract, and the 0x0ec3 contract used these certificates to redeem about 187.58 ETH;
6. In this transaction, the attacker obtained approximately 542.58 (187.58 + 355) ETH and 9,740,000 AMP tokens;
7. Finally, the attacker returned the flashloan and left with a profit. Other attack transactions are similar.
Summary
This attack was caused by the incompatibility between the Cream loan model and AMP tokens. Since the AMP token transfer will use the hook function to call back the target address, and the Cream cToken contract will only record the loan amount after the loan transfer, which eventually caused the problem of excess borrowing.
About us
SlowMist Technology is a company focused on blockchain ecosystem security. It has served many top or well-known projects around the world through “the security solution that integrated the threat discovery and threat defense while tailored to local conditions” and has thousands of commercial customers. SlowMist’s security solutions include security audit, threat intelligence (BTI), bug bounty, defense deployment, security consultant, and other services. SlowMist is equipped with cryptocurrency anti-money laundering (AML), false top-up scanner, vulnerability scanner, and vulnerability monitoring (Vulpush), hacked project archives (SlowMist Hacked), smart contract firewall (FireWall.X), Safe Staking and other SAAS security products. It has been widely concerned and recognized by the industry.
