Hacked C.R.E.A.M. Finance Promises to Repay Users With Protocol Fees and Offers 10% Bounty Bug

The popular DeFi protocol Cream Finance, which became the latest hack victim earlier this week, will allocate 20% of all the fees it charges to repay the affected customers.

Additionally, the project has offered a bug bounty to the still unknown perpetrators and up to 50% for third parties who can assist with recovering the funds.

What Happened to Cream?

CryptoPotato reported earlier this week when Cream Finance – a permissionless, open-source, blockchain agnostic platform – was exploited for the second time in six months. At that point, the estimations showed that the unknown attackers managed to swipe around $25 million in ETH and AMP.

The project provided an update on September 1st that has a different amount, though.

“At approximately 12 pm on August 31st (UTC +8), CREAM Finance was exploited for 462,079,976 in AMP tokens and 2,804.96 ETH tokens.”

With today’s prices, it turns out that the hackers stole roughly $35 million. They did so through two transactions – the primary exploiter and a smaller copycat. Cream said the second wallet has a withdrawal history from Binance, and the two parties are working together to identify the attackers.

The DeFi project has also collaborated with PeckShield to determine that the root cause was an error in its integration process with AMP. It wasn’t an issue with AMP’s code, as some previous assessments suggested.

Cream has paused the AMP supply and borrowing services and promised to restart them when a “patch can be safely deployed.”

Reimbursements and Bug Bounty

The team vowed to reimburse all users whose funds had been stolen during the hack. To do so, Cream has committed to “allocate 20% of all protocol fees toward repayment until this debt is fully paid.”

The team also said it will post Cream collateral with the Flexa/A.M.P. team to secure the debt.

Separately, the DeFi project offered the hackers its regular 10% bug bounty plus a 10% bonus of the stolen funds if they are willing to return them.

In case a third party is able to identify and provide valuable information “leading to the arrest and prosecution” of the perpetrators, Cream promised to share 50% of the recovered funds. Lastly, the team said it has contacted “the relevant authorities to pursue all avenues available to us.”