More than $8.5m stolen in Crema hack

More than $8.78m worth of cryptocurrencies was stolen from Solana-based liquidity protocol Crema Finance over the weekend.

Before the attack, on Saturday, July 2, Crema’s value stood at around $12m but the protocol incurred almost a $9m hit, leaving it standing at $3m as of today.

Developers took to Twitter to inform users of the exploitation process through a series of tweets. “It’s been a tough day. Here we would like to give a recap of the recent hacking we just suffered from and share the information that we have in hands with all our users and Solana audience with transparency”, one read.

The Crema protocol was designed to provide superior performance for traders and liquidity providers. Such benefits include adding single-sided liquidity, conducting range-over trading and setting up specific price ranges on its decentralized trading platform. However, after the exploit, it had no choice but to suspend its smart contract.

The hacker stole the funds by creating a fake tick account, “a dedicated account that stores price tick data in a concentrated liquidity market maker (CLMM)”, said the developers in the Twitter thread.

After creating the tick account, “the hacker circumvented our routined owner check on the tick account by writing the initialized tick address of the pool into the fake account”.

Then, a flash loan was used to manipulate the prices of assets on liquidity pools. Alongside false data entries, such manipulation enabled the exploiter to obtain “a huge fee amount out from the pool”, whereby the stolen funds were then swapped to 69422.9 Solana (SOL) and 6,497,738 USD Coin (USDC).

The attacker then bridged the Solana-based USDC to the Ethereum network using Wormhole (the decentralized, universal message protocol that connects to multiple blockchains) and swapped to 6,064 Ether (ETH), equating to more than $89.5m.

If you want to stay safe using your cryptocurrencies, you can do so by playing recreationally at sites such as 1xBit, FortuneJack and Bitcasino.io.

Source

Updated: 07/04/2022 — 19:00