Solana DeFi Protocol Crema Loses $8.8M in Exploit

Crema Finance developers said they are coordinating with “relevant organizations” to gather more information.

AccessTimeIconJul 4, 2022 at 8:23 a.m. UTC
Updated May 11, 2023 at 4:43 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Solana-based liquidity protocol Crema Finance had more than $8.78 million worth of cryptocurrencies stolen from its platform in an attack over the weekend, developers said in a tweet.

Crema said it had suspended its smart contract after the exploit. The protocol allows liquidity providers to set specific price ranges, add single-sided liquidity and conduct range order trading. This makes for a sophisticated and decentralized trading platform.

“We've been closely working with several experienced security institutes and relevant organizations to track the hacker's fund movements,” the developers said in a tweet.

Value locked on Crema plunged to $3 million on Monday from over $12 million on Saturday following the exploit, data shows. Crema has seen trading volumes of $1.34 billion since its inception in January.

The attacker started by creating a fake tick account. A tick account is "a dedicated account that stores price tick data in CLMM,” the developers said, referring to Crema's market making protocol. After that, the attacker exploited a command by writing the data on the fake account and circumventing security measures.

The attacker then used a flash loan to manipulate the prices of assets on liquidity pools. This, along with the false data entries, allowed the attacker to claim “a huge fee amount out from the pool.”

Flash loans allow traders to borrow unsecured loans from lenders by relying on smart contracts instead of third parties.

The stolen funds were swapped to 69422.9 solana (SOL) and 6,497,738 USD coin (USDC). The Solana-based USDC was then bridged to the Ethereum network via Wormhole and swapped to 6,064 ether (ETH). These funds amount to over $8.5 million at current prices.

The attacker’s Ethereum address, 0x8021b2962dB803b73Aa874030B0B42c202E8458F as flagged by blockchain scanning tool Etherscan, had not moved the stolen funds or converted to other coins at writing time, the data show.


Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.