Crema Finance

Crema Finance Hack — July 2-4, 2022

Overview

On July 2, 2022, the Crema Finance pool was subject to an exploit, draining over $8M worth of assets, with more than $8.78 million worth of cryptocurrencies stolen from its Solana-based platform.

Attack Mechanism

The attacker created a fake tick account and circumvented the owner check by writing the initialised tick address of the pool into the fake account. After that, the attacker took a flash loan from Solend and used it to deposit liquidity to the Crema liquidity pool. As the tick price is related to the calculation of transaction fees, the attacker was able to claim lots of fees by spoofing in the fake tick account.

Stolen Funds

The stolen funds were swapped to 69,422.9 SOL and 6,497,738 USDC. The Solana-based USDC was then bridged to the Ethereum network via Wormhole and swapped to 6,064 ETH.

Response

The Crema team sent an on-chain message to the hacker's Ethereum address, stating that the hacker has 72 hours to consider becoming a white hat, keeping the $800k bounty, and transferring the remaining funds. After negotiations, the hacker agreed to take the 45,455 SOL bounty (approximately $1.5M at that time) and returned the rest to the protocol.

Sources

• https://www.halborn.com/blog/post/explained-the-crema-finance-hack-july-2022

• https://www.certik.com/resources/blog/4XzSJEeWC2bRppR9CeBckw-crema-finance-exploit

• https://medium.com/ackee-blockchain/2022-solana-hacks-explained-crema-finance-4f64a6d081e0

• https://ackee.xyz/blog/2022-solana-hacks-explained-crema-finance/

• https://www.coindesk.com/tech/2022/07/04/solana-defi-protocol-crema-loses-88m-in-exploit

• https://blockworks.co/news/solana-based-liquidity-protocol-cremafinance-hacked-for-8-7m

• https://therecord.media/nearly-9-million-stolen-from-defi-platform-crema-finance

• https://www.cryptotimes.io/defi-protocol-crema-finance-suffers-8-8m-hack/