Solana Liquidity Protocol Hacked for $8.7 Million

Crema Finance – a concentrated liquidity market maker protocol on Solana – has frozen operations following an $8.7 million exploit. The hacker has since transferred the funds to another platform, but he and his gains are still being tracked.

Manipulating the Data

Crema published a Twitter thread on Sunday explaining the technicals of the situation. Saturday’s hack was possible by creating a fake ‘tick’ account – an account that stores price tick data in Crema.

Crema’s design allows an owner check to verify legitimate tick accounts. Nevertheless, the hacker was able to circumvent it. He reportedly “[wrote] the initialized tick address of the pool into the fake account.”

Following the transaction’s confirmation, the hacker sourced funds from the Solana lending protocol Solend through a flash loan. He used them to add liquidity to open positions on Crema. Last month, Solend was part of a scandal when it deliberately seized the funds of a whale borrower nearing liquidation.

In this case, Solend did not suffer any impact, and the funds in the protocol are safe. However, the hacker was able to manipulate data in the tick account on Crema to extract massive fees from the pool. This forced Crema to suspend the smart contract following the exploit.

“The hacker swapped the stolen fund into 69422.9SOL and 6,497,738 USDCet via Jupiter,” explained Crema. “The USDCet was then bridged to Ethereum network via Wormhole and swapped to 6064ETH via Uniswap after that.”

Tracking the Funds

Wormhole and other bridge services are frequently the subject of Defi hacks. They either provide an avenue for thieves to cover their tracks or are themselves honeypots for massive thefts. So far, the first and third largest defi hacks ever involved blockchain bridges – one of which was Wormhole’s $320 million loss in February.

Nevertheless, Crema and its partners still have their eye on the hacker’s illicit gains as they move around the blockchain. The hacker’s Ethereum and Solana addresses are already identified, and Crema continues to request comments from the hacker.

Solana live price
price change

On Monday, Crema provided an update stating that it had identified the hacker’s Discord account. As the team works towards “detecting” his identity, it is also actively fixing technical vulnerabilities with its protocol. Crema’s contract will resume only after its investigation is complete and the development of a “resolvement plan.”

Stay up to date with our latest articles