Decentralized finance (DeFi) protocol Cream Finance has promised to return all the stolen funds from the Monday attack on the platform, the protocol said in a post mortem of the exploit on 1 September.
According to the announcement, Cream Finance will return all of the stolen AMP and ETH tokens to affected users, and then use 20% of all protocol fees for the repayment of the debt, which will be secured using a CREAM collateral with the Flexa team. While originally Cream Finance claimed to have lost around $19 million in tokens, but its post mortem put that figure closer to $34 million. The protocol said in the post:
“We are committed to making this right for those negatively impacted by the exploiter. We are committed to this industry and building innovative DeFi products. We appreciate the support of our partners and community and will move forward together.”
With the help of blockchain security firm PeckShield, Cream Finance confirmed that the exploit was connected to the integration of ERC-777 AMP token contracts in the protocol, and involved a flash loan attack. The team also found there was a smaller attack from a copy-cat that used an address with transaction history from Binance, which is now helping the protocol to identify the copy-cat.
Over the course of 17 transactions, the attackers were able to steal about 462 million AMP tokens, and 2,800 ETH. The protocol has now offered the exploiters a 10% bug bounty for returning the stolen funds, but is also working with authorities to track the attacker and prosecute him “to the fullest extent of the law”. Individuals who are able to provide information leading to the arrest of the attackers will also be awarded with 50% of all returned funds.