DeFi protocol Crema Finance has been in the crosshairs of cybercriminals several times in the past twelve months. On July 2, 2022, hackers again targeted the Solana-based lending and borrowing platform in what was the fourth serious breach of the protocol’s security.
DeFi Exploit Resurfaces Again
In the latest attack, unknown hackers exploited a vulnerability in the ticks account to drain funds totaling $8,782,446 from multiple liquidity pools. The Crema Finance developers explained that the protocol suffered a devastating breach that was carried out in a series of flash loan attacks.
The bad actor later moved the funds from the original SOL address to a different wallet which has now been blacklisted on Solana and Ethereum. The team is currently working with blockchain auditing company OtterSec to track the movement of the stolen funds.
Hacker Attempts to Moves Stolen Funds
New details about the devastating hack on Crema Finance over the weekend have emerged. The project backers shared a series of tweets updating users on how the attack was orchestrated. According to the latest details, malicious actors managed to activate six flash loans on Solend protocol and drain stablecoins USDH and USDT from the pool vaults.
The hackers then swapped the stolen funds into 69422.9 SOL and 6,497,738 USDCet through Jupiter exchange. He then bridged the stolen USDCet in 5 batches from the initial SOL wallet to a separate Ethereum wallet and swapped the coins to 6064 Ether via Uniswap.
How the Attacker Infiltrated Crema Finance
Tweets posted by the Crema Finance security team have shed more light on how the attack on their protocol took place. According to the detailed report, the explorers launched the hack by creating a fake tick account used to store price tick data in Concentrated Liquidity Market Making (CLMM).
The sophisticated criminal then circumvented the protocol’s programmed owner check on the tick account by writing the initialized tick address of the pool into the fake account. Next, the attacker deployed a contract and used it to lend a flash loan from the Solend protocol to add liquidity to open positions on Crema, the platform’s programmable liquidity network.
“In CLMM, the calculation of transaction fees mainly relies on the data in the tick account. As a result, the authentic transaction fee data was replaced by the faked data so the hacker completed the stealing by claiming a huge fee amount out from the pool,” the Twitter thread explained.
Crema Finance Suspends Smart Contract
The Crema security team has moved to suspend their smart contract to minimize the exploit’s impact and protect the remaining user funds. The popular lending protocol is working closely with several blockchain security institutes to trace the movements of the funds.
The dev team lamented that the hack occurred during a prosperous time for Crema but promised to fix all technical issues that led to the breach and resume the contract.