Cream to Return Stolen Funds Using Protocol Fees

Decentralized finance protocol Cream Finance said it will use protocol fees to repay users that lost money during Monday’s attack.

• In a postmortem posted on Medium, the Cream Finance team said it is committing one-fifth of protocol fees until affected users have recovered all of their funds.
• The protocol will post collateral with the AMP and Flexa teams until the debt is repaid. Affected users are invited to submit a request through a Google form.
• Cream also revised its Monday estimate of the hack upwards. It said the hackers drained 462,079,976 AMP tokens and 2,804.96 ether, totaling upwards of $33.5 million.
• This is the first time Cream was directly exploited, the post said, probably referring to another attack it suffered earlier this year.
• The team has identified a main exploit and a copycat. The latter has withdrawal history on Binance, so Cream is working with the crypto exchange to identify the copycat. The two stole the funds over 17 transactions.
• Cream is offering its usual bug bounty: If the hacker or hackers comes forward, they can keep 10% of the stolen funds.
• The post confirmed earlier reports that the integration of ERC-777 AMP token contracts in the Cream protocol were the root cause.
• While the AMP market integration took place in February, it was only five days before the attack that a big influx of AMP tokens on Cream made the account profitable, according to the blog post.
• Cream said it will re-deploy AMP borrowing and lending once the vulnerability has been patched.

See also: The Poly Hack and Crypto’s Trust Issues