Reentrancy Attack on Cream Finance — Incident Analysis

Related Addresses

Attack Steps

  • Flash loan $WETH from Uniswap V2
  • Deposit borrowed $WETH into Cream Finance as a collateral, mint $crETH
  • Borrow $AMP from Cream Finance with reentrancy call to borrow $ETH
  • Swap some $AMP for $WETH
  • Pay borrowed $WETH flashloan
  • Transfer profit to wallet
  • Use contract #1 to flash loan $WETH from Uniswap V2
  • Deposit borrowed $WETH from contract #1 to Cream Finance as a collateral
  • Use contract #1 to borrow $AMP from Cream Finance with reentrancy call to borrow $ETH
  • Transfer $AMP from contract #1 to contract #2
  • Use contract #2 to paid $AMP to liquidate borrow loan of contract #1 and get $crETH back
  • Use contract #2 to redeem $crETH for $ETH in Cream Finance
  • Transfer all $ETH from contract #2 to contract #1
  • Wrap all $ETH in contract #1 and paid borrowed $WETH flashloan
  • Transfer all profit from contract #1 to wallet

Code Analysis

  • CCollateralCapErc20.borrow() calls CToken.borrowInternal()
  • CToken.borrowInternal() calls CToken.borrowFresh()
  • CToken.borrowFresh() calls doTransferOut()

Conclusion

About Inspex

--

--

--

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Legends & Heroes Hack Free Resources Generator

Why SREs Should Worry More About Third-Party JavaScript

EIMOLAD STAKING INSTRUCTIONS

Thanks You To The A&Q Community For Participating In Ask Me Anything ( AMA ) With Arno Token On…

{UPDATE} Two Snake Hack Free Resources Generator

Basics of Network Protocols — TCP/IP, UDP, Wireless and more

FilDA Post-Exploit Remediation Plan

CZodiac Solution Plan & CZF Compensation | Introducing CZ Dao Token

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inspex

Inspex

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

More from Medium

Knownsec Blockchain Lab | bHOME Reentry Attack Event Analysis

How to Make the BlockChain Attack “Blockable”

Smart State performs the security audit of digital assets investment platform Algoblocks

Protocol Exploit Report