Solana-based Crema Finance Hacked for $8.7M in DeFi Exploit
Crema Finance, a DeFi protocol on the Solana network, suffered a security breach in the early hours of Sunday. The hack led to the loss of an estimated $8.7 million which the attacker still holds in separate wallet addresses on the Ethereum and Solana networks.
🚨🚨Attention! Our protocol seems to have just experienced a hacking. We temporarily suspended the program and are investigating it. Updates will be shared here ASAP.
— CremaFinance (@Crema_Finance) July 3, 2022
Crema Finance Hack News
Crema Finance labels itself as a concentrated liquidity protocol. The app allows users to swap between Solana-based assets for low slippage and efficient fees. According to its website, Crema Finance has handled over $1.3 billion in historical trading volume and boasts over 38,000 users.
However, a vulnerability related to the protocol’s “ticks account,” a feature used for “error handling” in Solana transactions, reportedly led to the latest exploit. The attacker obtained a flash loan from Solend, another Solana-based DeFi protocol, and used it to manipulate Crema Finance’s pools.
The hacker drained over $8.7 million, leaving $2.27 million in their original Solana address. The majority, some $6.43 million, was transferred to Ethereum through the Wormhole protocol.
Meanwhile, the Crema Finance team has reached out to the unknown attacker through an on-chain message. The team has offered an $800,000 bounty if the hacker agreed to return the stolen assets within 72 hours. The team threatened to send “police and legal forces” after the hacker if they didn’t comply.
The Crema Finance hack is notable for a few reasons. Among other things, it is the first attack on the Solana network originating from flash loans. Flash loans, which are by nature permissionless, have been the source of several multi-billion hacks in DeFi over the past few years.
Solana-based DeFi protocols, many of which are closed-source, will apparently need to beef up security as it would seem hackers have turned their attention to the so-called “Ethereum killer.”
Back to the list