defirisk.co
rubric v1.7.0

Cream Finance: ERC-777 Reentrancy (Token Integration Vulnerability)

Cream Finance lost $18.8M when a post-audit AMP token integration introduced an ERC-777 reentrancy hook that allowed the attacker to double-borrow against collateral that hadn't yet been updated.

Occurred 2021-08-30 Loss $19M Status closed

Summary #

Cream Finance suffered a Lending on 2021-08-30, resulting in a loss of approximately $19M.

What happened #

Cream Finance lost $18.8M when a post-audit AMP token integration introduced an ERC-777 reentrancy hook that allowed the attacker to double-borrow against collateral that hadn't yet been updated.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the AMP token integration (ERC-777 callback) was added post-audit]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — AMP token integration added via governance Feb 10, 2021, six months before exploit; the new token type introduced the reentrancy surface] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — AMP token integration added via governance Feb 10, 2021, six months before exploit; the new token type introduced the reentrancy surface] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in post-mortem]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Flash loan activity visible on-chain; repeated pattern across 17 transactions suggesting an iterative, manual/scripted attack rather than a ...]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Cream Finance is a fork of Compound Finance]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Cream Finance is a fork of Compound Finance]
  • RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — AMP token integration added via governance Feb 10, 2021, six months before exploit; the new token type introduced the reentrancy surface]