Crema Finance, the Solana-based lending & borrowing platform, was exploited again on July 2, 2022. The DeFi protocol was hacked for nearly $9 million as the exploit drained funds from multiple liquidity pools.
The hacker transferred the funds to a second wallet that has now been blacklisted on both Solana and Ethereum. The protocol team is trying to figure out what they can do about the hacked funds. They have enlisted the blockchain auditing company, OtterSec, to track and monitor the movvement of the hacked coins.
Crema Finance is a relatively new protocol, not to be confused with CREAM finance. CREAM had a slew of exploits and is now defunct.
What is Crema Finance?
Crema Finance is a DeFi protocol on the Solana Network. The protocol allows users to provide liquidity and in return get high returns. Crema markets itself as having protection from impermanent loss and a greater efficiency than other DeFi protocols.
The protocol is less than 6 months old and had just executed a presale of its own token, $CRM. $CRM has 3 major utilities: staking, boosting, and governance. When you stake $CRM you receive a $veCRM. $veCRM allows for boosting liquidity mining APR, a cut from the transaction fees, and ablity to vote & make proposals.
Crema offers a concentrated liquidity market maker (CLMM) that uses an augmented algorithm to drive decentralized trading. CLMM ‘allows liquidity providers to set specific price rantes, add single-sided liquidity and do range order trading’. Also according to the Crema site ‘it redefines the capital efficiency and trading depth on Solana’.
For traders, the CLMM should allow for more market depth and lower price slippage due to more liquidity concentrated around the current price. This is allegedly a big improvement on the traditional automated market maker (AMM) model.
Additionally, the liquidiy providers can more efficiently earn transaction fees by specifying a narrow price range for their capital. This means you can choose to avoid impermanent loss while earning higher fees, in theory.
Crema also has available integration with aggregators. This should lead to always finding the best price throughout Solana.
Lastly, CLMM liquidity providers receive a non-fungible token (NFT), not the fungible LP token most decentralized exchanges provide. Despite this, LP holders can still farm their LP token to earn additional rewards.
What Happened in Crema Finance Hack?
The Crema Finance team has released a handful of tweets about the hack. The latest details indicate that the hacker activated six flash loans on Solend protocol to drain the stablecoins.
After getting the flash loans, the hackers stole nearly $9 million.
As described in the tweets, the hacker created a fake tick account to get around the checks set up by Crema Finance. (Note – Tick accounts store price tick data in the concentrated liquidity market maker (CLMM) algorithm).
After getting the Solend flash loan, the attacker could change the pool’s transaction fee and make off with the haul. Since the CLMM relies on data from the tick account, the attacker could swap in fake fee data and claim the high fake fee amount.
Crema Finance Suspends Contract
The Crema team has suspended their smart contract to try to protect the remaining user’s funds. The protocol is working with blockchain security institutes to track where the funds go.
Once the contract is fixed, the Crema Finance devs will turn the smart contract back on.
Twitter speculation is calling the attack on Crema as being very similar to the Lazarus Group, a North Korean crypto hacking group.
Conclusion – Crema Finance Hacked for $9 million
Crema Finance is another Solana protocol with issues. This bad news comes as part of a continuing trend of poor news for Solana. Solana was halted early in June for the 8th time.
Crema has been shut down for over a day while a fix to the smart contract is worked on. Crypto security firms are still working to find more details. And Crema has indicated that it intends to work with authorities unless the hacker returns the funds (net a ‘white hat’ hack reward under $1 million).
It is yet to be determined how this hack ends. However, one of the attackers address was flagged if you want to monitor the situation.