Solana DeFi Protocol Crema Loses $8.8M in Exploit
Don't miss CoinDesk's Consensus 2022, the must-attend crypto & blockchain festival experience of the year in Austin, TX this June 9-12.
Solana-based liquidity protocol Crema Finance had more than $8.78 million worth of cryptocurrencies stolen from its platform in an attack over the weekend, developers said in a tweet.
Crema said it had suspended its smart contract after the exploit. The protocol allows liquidity providers to set specific price ranges, add single-sided liquidity and conduct range order trading. This makes for a sophisticated and decentralized trading platform.
“We've been closely working with several experienced security institutes and relevant organizations to track the hacker's fund movements,” the developers said in a tweet.
Value locked on Crema plunged to $3 million on Monday from over $12 million on Saturday following the exploit, data shows. Crema has seen trading volumes of $1.34 billion since its inception in January.
The attacker started by creating a fake tick account. A tick account is "a dedicated account that stores price tick data in CLMM,” the developers said, referring to Crema's market making protocol. After that, the attacker exploited a command by writing the data on the fake account and circumventing security measures.
4) After creating the fake tick account, the hacker circumvented our routined owner check on the tick account by writing the initialized tick address of the pool into the fake account. Txid: https://t.co/X0IneBg9ut
— CremaFinance (@Crema_Finance) July 3, 2022
The attacker then used a flash loan to manipulate the prices of assets on liquidity pools. This, along with the false data entries, allowed the attacker to claim “a huge fee amount out from the pool.”
Flash loans allow traders to borrow unsecured loans from lenders by relying on smart contracts instead of third parties.
The stolen funds were swapped to 69422.9 solana (SOL) and 6,497,738 USD coin (USDC). The Solana-based USDC was then bridged to the Ethereum network via Wormhole and swapped to 6,064 ether (ETH). These funds amount to over $8.5 million at current prices.
The attacker’s Ethereum address, 0x8021b2962dB803b73Aa874030B0B42c202E8458F as flagged by blockchain scanning tool Etherscan, had not moved the stolen funds or converted to other coins at writing time, the data show.