defirisk.co
rubric v1.7.0

Cream Finance: ERC777 reentrancy via newly integrated AMP token — reentrant `borrow()` before state update

Cream Finance lost $18.8M when an attacker exploited ERC777 reentrancy hooks in the newly integrated AMP token to double-borrow from Cream's lending pool 17 times before state was updated.

Occurred 2021-08-30 Loss $19M Status closed

Summary #

Cream Finance suffered a Lending / Money Market on 2021-08-30, resulting in a loss of approximately $19M.

What happened #

Cream Finance lost $18.8M when an attacker exploited ERC777 reentrancy hooks in the newly integrated AMP token to double-borrow from Cream's lending pool 17 times before state was updated.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: NO (partial)** — Trail of Bits audited Cream's base code in January 2021. The AMP token integration was added via governance in February 202...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: NO (partial)** — Trail of Bits audited Cream's base code in January 2021. The AMP token integration was added via governance in February 202...]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — AMP token integration deployed via governance proposal Feb 10, 2021; exploit Aug 30, 2021. The integration was ~6.5 months old but w...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — AMP token integration deployed via governance proposal Feb 10, 2021; exploit Aug 30, 2021. The integration was ~6.5 months old but w...]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Yes — detectable in-exploit**: 17 sequential transactions each involving a flash loan + double borrow cycle. Reentrancy within borrow would ...]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: Compound V2 fork]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked: Compound V2 fork]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — AMP token integration deployed via governance proposal Feb 10, 2021; exploit Aug 30, 2021. The integration was ~6.5 months old but w...]