Solana: they steal $8.7 million in one click, Crema Finance in PLS

DeFi still bites the dust – Security is a vital feature for a DeFi protocol that wants to thrive. Indeed, some hackers are constantly on the lookout for slightest fault. The protocol CremaFinance, hosted on Solana (SOL)just learned the hard way following a hack amounting to $8.7 million.

Pools of siphoned cash: Crema Finance loses a lot of money

CremaFinance is a decentralized exchange protocol hosted on the Solana blockchain. Specifically, it offers concentrated liquidity poolsallowing efficient swaps with very little slippage.

On Saturday July 2, the protocol alerted its users that a offensive targeting its liquidity pools was underway. Obviously, the protocol teams quickly put the latter on hold to try to limit the damage.

Crema Finance alerted its users that an attack was in progress – Source: Twitter

A few hours later, the balance sheet fell. The hacker has stole $8.7 million in cryptocurrencies. In more detail, his treasury consists of 69,422 SOL and 6,497,738 USDCet. Unsurprisingly, the funds were quickly sent to the Ethereum blockchain via the bridge wormhole. They were then exchanged there for 6,064 ETH on Uniswap.

The teams announced actively follow the funds and the slightest transfer. Moreover, the latter said to themselves open to negotiationleaving a chance for the attacker to return the funds in exchange for a reward.

>> A safe platform to buy your cryptos? Join PrimeXBT (affiliate link) <<

Tick ​​account and flash loans: the pirate’s winning combo

On Sunday July 3, the Crema Finance teams published a first post-mortem via Twitter, allowing the attack to be traced.

On Sunday July 3, Crema Finance teams published a post-mortem regarding the attack which siphoned off $8.7 million
Post-mortem published by Crema Finance the day after the hack – Source: Twitter

To tell the truth, the attacker carried out his attack in tricking smart contracts of CremaFinance. To do this, he created a fake tick account. For information, the tick accounts help store the price of a given pair on the exchange.

This allowed him to pass his address as a legitimate address to give the price of an asset. He then deployed a smart contract to perform multiple flashes loans on Solendby borrowing :

  • USD 400,000;
  • 5,500,000 USDT;
  • 10,500 mSOL;
  • 57,000 stSOL;
  • 840,000 PAI.

The borrowed funds were subsequently deposited in Crema Finance’s liquidity pools. Finally, the attacker used his tick account corrupted for inflate fees associated with its deposits.

“On Crema Finance, the calculation of transaction costs is mainly based on data from the tick account. Hence, the genuine transaction fee data was replaced with fake data so the hacker completed the theft by claiming huge amount of fee from the pools. »

Post-mortem of Crema Finance

Crema Finance on the verge of finding its hacker?

During their investigation, the Crema Finance teams succeeded in find ethereum address of the attacker.

By analyzing this one more closely, we see that the address of the attacker made a transaction of 5 ETH a few hours before the attack. In practice, this transaction leads to a first address, from where the funds were directly sent to a second address, which we will call 0x077D.

Indeed, this address has a large balance of ETH which fluctuates constantly, punctuated by entries and exits every few minutes. Since its creation, it has received more than 300,000 ETH.

Looking at the comments linked to this address on Etherscan, we can see that this one is related to another scampotentially perpetrated by the same hacker.

Comment on address 0x077D.
A comment on address 0x077D

While researching more information on this address, we came across internet users explaining that their funds had been transferred there after being stolen in scams of the type “fake giveaway”. These fake giveaways had in particular been carried out via lives on YouTube channels compromised.

In the end, our striker may not be one not at his first attempt. If this is really the case, there will be little chance that he will try to negotiate with the Crema Finance teams regarding a return of the funds in exchange for a reward.

Recently, the protocol XCarnival was also the target of an attack. Fortunately for the protocol, the attacker has agreed to return half of the stolen funds.

Hacks are unfortunate hazards but not inevitable. Play it safe and register now on the PrimeXBT platform (affiliate link).

Leave a Comment