Crema Finance – a concentrated liquidity market maker protocol on Solana – has frozen operations following an $8.7 million exploit. The hacker has since transferred the funds to another platform, but he and his gains are still being tracked.
Manipulating the Data
Crema published a Twitter thread on Sunday explaining the technicals of the situation. Saturday’s hack was executed by creating a fake ‘tick’ account – an account that stores price tick data in Crema.
Though Crema is designed with an owner check to verify legitimate tick accounts, the hacker was able to circumvent it. He reportedly “[wrote] the initialized tick address of the pool into the fake account.”
With the transaction confirmed, the hacker then sourced funds from the Solana lending protocol Solend through a flash loan. He used them to add liquidity to open positions on Crema. Last month, Solend was caught in a scandal whereby it deliberated seizing funds from a whale borrower nearing liquidation.
In this case, Solend was not impacted, and funds stored in the protocol are safe. However, the hacker was able to manipulate data in the tick account on Crema to extract massive fees from the pool. This spurred Crema to suspend the smart contract following the exploit.
“The hacker swapped the stolen fund into 69422.9SOL and 6,497,738 USDCet via Jupiter,” explained Crema. “The USDCet was then bridged to Ethereum network via Wormhole and swapped to 6064ETH via Uniswap after that.”
Tracking the Funds
Wormhole and other bridge services are frequently involved in Defi hacks. They either provide an avenue for thieves to cover their tracks or are themselves honeypots for massive thefts. So far, the first and third largest defi hacks ever involved blockchain bridges – one of which was Wormhole’s $320 million loss in February.
Nevertheless, Crema and its partners still have their eye on the hacker’s ill-gotten gains as they move around the blockchain. The hacker’s Ethereum and Solana addresses are already identified, and Crema continues to request comments from the hacker.
On Monday, Crema provided an update stating that it had identified the hacker’s Discord account. As the team works towards “detecting” his identity, it is also actively fixing technical vulnerabilities with its protocol. Crema’s contract will resume only after its investigation is complete, and a “resolvement plan” is developed.