New tremor in the decentralized finance (DeFi) ecosystem: the Crema Finance protocol, which takes place on the Solana (SOL) blockchain, suffered an $8.8 million attack this weekend. The attacker allegedly used a flash loan before hijacking the platform’s transaction fee calculation system in order to achieve his goal.
Crema Finance has $8.8 million stolen
Crema Finance, a decentralized finance (DeFi) protocol offering liquidity pools hosted on the Solana (SOL) blockchain, had about $8.8 million stolen this weekend.
1) It’s been a tough day. Here we would like to give a recap of the recent hacking we just suffered from and share the information that we have in hands with all our users and Solana audience with transparency.
– CremaFinance (@Crema_Finance) July 3, 2022
Shortly after the attack, Crema Finance paused its services to limit the damage. The hacker used a flash loan technique to achieve his goal, a process that is unfortunately quite common in hacks that allows borrowing funds without any compensation.
After a multitude of operations, the hacker decided to split the stolen funds into two separate wallets, a Solana wallet and an Ethereum wallet. At the time of writing, the Solana wallet holds 69,422 SOL (about $2.4 million) and the Ethereum wallet holds about 6.5 million USDCet.
The team in charge of the project said it would track the movements of the stolen funds with the help of various organisations. It also stated that it was available to the hacker to try to find a common ground for the possible return of the assets.
To this end, Crema sent an on-chain message directly to the hacker, informing him of the potential lawsuit that awaited him:
” To the Crema hacker: Your Solana and Ethereum addresses have been blacklisted and all eyes are on you right now. You have 72 hours from now to consider becoming a white hat and keep $800k as a bonus. […] If not, the police and law enforcement will officially get involved and endless searches will await you. Crema Finance. “
Today, Monday 4 July at around 2pm, Crema Finance announced via Twitter that the Discord account used by the hacker had been found, and that they were continuing their investigations to try to uncover his identity.
The course of events
According to an analysis of the on-chain data explorer SolanaFM carried out in collaboration with the blockchain auditing company OtterSec, the hacker would have started his action by triggering 6 flash loans via the Solend lending (borrowing and lending) protocol.
Through this manipulation, he obtained 400,000 USDH, 5.5 million USDT, 10,500 mSOL, 57,000 stSOL and 840,000 PAI.
Following this, the individual created a ‘tick account’, a type of account used to store asset prices on Crema Finance, which allows its users to deposit funds into its liquidity pools at defined price ranges.
Using this fake account, the attacker was able to bypass Crema Finance’s system by artificially inflating the fees of his various deposits made with the borrowed money. More simply, the hacker was able to retrieve the borrowed funds and additional transaction fees directly from the liquidity pools.
As a result of the hack, the total locked value (TVL) of the protocol fell sharply from $12.55 million to $3.88 million.
Crema Finance’s total locked value over 5 months (USD)
This attack comes 2 weeks after Crema Finance raised $5.4 million in a securities offering led by Qiming Venture Partners alongside investors such as Everest Ventures Group, AGE Fund, Big Brain Holdings and Summer Capital.
