Solana-powered Crema Finance loses nearly $9 million in flash loan attack

Source: Adobe Stock / Pixel Hunter

CremaFinancea concentrated liquidity protocol built on the Solana (SOL) blockchain, lost over $8.7 million in crypto assets in a flash lending attack that drained its liquidity reserves.

Protocol’s official Twitter account confirmed the hack on Sunday and announced the temporary suspension of the service as they open an investigation.

“Our protocol seems to have been hacked”, Twitter account of Crema Finance said. “We have temporarily suspended the program and are investigating it. Updates will be shared here as soon as possible.”

In an update, the team Explain that the hacker started by creating a fake tick account, which is a dedicated account that stores price tick data in a Concentrated Liquidity Market Maker (CLMM). Subsequently, they were able to circumvent the routine “verification” process by “writing the pool’s initialized tick address into the fake account”.

The hacker then deployed a contract that allowed them to lend a flash loan from the borrow and lend service. Solende and add liquidity on Crema to open positions.

“In CLMM, the transaction fee calculation is mainly based on the tick account data. As a result, the genuine transaction fee data was replaced with the falsified data, so the hacker ended the theft by claiming an amount huge pool fee,” said Crema Finance.

According to a survey by explorer Solana Solana FMCrema Finance was mined for $8.78 million, which included various amounts of USDT, USDH Hubble Stablecoin, as well as crypto synths.

Meanwhile, the project shared addresses linked to the hacker, saying it would track the movement of stolen funds.

“More and more relevant organizations are providing us with valuable clues. Additionally, we are always open to communication with the hacker before the time window closes,” the project said. said.

____

Learn more:
– ONE maintains downward trend as Harmony offers hacker $1m bonus for returning funds
– XCarnival Hacker accepts the bounty of 1,500 ETH and returns the remaining 1,467 ETH

– Axie Infinity Ronin Bridge will reopen after hack, locked funds will be returned
– Osmosis DEX hacked for $5M, team denies liquidity pools are ‘completely depleted’

– The blame game begins as the Bored Apes co-founder comes under fire for blaming discord following another NFT exploit
– Hacker used ‘social media data leak’ to steal $660,000 in crypto from 90 victims – Police