Crema Finance Exploited For $9 Million With A Flash Loan Attack

Crema Finance, the Solana-based lending & borrowing platform, was exploited again on July 2, 2022. The DeFi protocol was hacked for nearly $9 million as the exploit drained funds from multiple liquidity pools.

The hacker transferred the funds to a second wallet that has now been blacklisted on both Solana and Ethereum. The protocol team is trying to figure out what they can do about the hacked funds. They have enlisted the blockchain auditing company, OtterSec, to track and monitor the movvement of the hacked coins.

Crema Finance is a relatively new protocol, not to be confused with CREAM finance. CREAM had a slew of exploits and is now defunct.

What is Crema Finance?

Crema Finance is a DeFi protocol on the Solana Network. The protocol allows users to provide liquidity and in return get high returns. Crema markets itself as having protection from impermanent loss and a greater efficiency than other DeFi protocols.

Crema Finance Hacked
Crema Finance was hacked for over $9 million

The protocol is less than 6 months old and had just executed a presale of its own token, $CRM. $CRM has 3 major utilities: staking, boosting, and governance. When you stake $CRM you receive a $veCRM. $veCRM allows for boosting liquidity mining APR, a cut from the transaction fees, and ablity to vote & make proposals.

Crema offers a concentrated liquidity market maker (CLMM) that uses an augmented algorithm to drive decentralized trading. CLMM ‘allows liquidity providers to set specific price rantes, add single-sided liquidity and do range order trading’. Also according to the Crema site ‘it redefines the capital efficiency and trading depth on Solana’.

For traders, the CLMM should allow for more market depth and lower price slippage due to more liquidity concentrated around the current price. This is allegedly a big improvement on the traditional automated market maker (AMM) model.

Additionally, the liquidiy providers can more efficiently earn transaction fees by specifying a narrow price range for their capital. This means you can choose to avoid impermanent loss while earning higher fees, in theory.

Crema also has available integration with aggregators. This should lead to always finding the best price throughout Solana.

Lastly, CLMM liquidity providers receive a non-fungible token (NFT), not the fungible LP token most decentralized exchanges provide. Despite this, LP holders can still farm their LP token to earn additional rewards.

What Happened in Crema Finance Hack?

The Crema Finance team has released a handful of tweets about the hack. The latest details indicate that the hacker activated six flash loans on Solend protocol to drain the stablecoins.

If you remember, Solend had its own troubles not too long ago when they voted to seize a whales wallet.

After getting the flash loans, the hackers stole nearly $9 million.

As described in the tweets, the hacker created a fake tick account to get around the checks set up by Crema Finance. (Note – Tick accounts store price tick data in the concentrated liquidity market maker (CLMM) algorithm).

After getting the Solend flash loan, the attacker could change the pool’s transaction fee and make off with the haul. Since the CLMM relies on data from the tick account, the attacker could swap in fake fee data and claim the high fake fee amount.

Crema Finance Suspends Contract

The Crema team has suspended their smart contract to try to protect the remaining user’s funds. The protocol is working with blockchain security institutes to track where the funds go.

Once the contract is fixed, the Crema Finance devs will turn the smart contract back on.

Twitter speculation is calling the attack on Crema as being very similar to the Lazarus Group, a North Korean crypto hacking group.

Conclusion – Crema Finance Hacked for $9 million

Crema Finance is another Solana protocol with issues. This bad news comes as part of a continuing trend of poor news for Solana. Solana was halted early in June for the 8th time.

Crema has been shut down for over a day while a fix to the smart contract is worked on. Crypto security firms are still working to find more details. And Crema has indicated that it intends to work with authorities unless the hacker returns the funds (net a ‘white hat’ hack reward under $1 million).

It is yet to be determined how this hack ends. However, one of the attackers address was flagged if you want to monitor the situation.

Photo of author

Written By BowTied Effer

Finance, Fitness, Family, and Fixing Bad Advice from a Father


This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.

The Jungle

Crypto, Investing, and E-Commerce with BowTied Bull

The future is internet based, therefore we have a triangle based approach with crypto, e-commerce business making and Investing in traditional assets

The Culture War with BowTiedRanger

Whether you’re a political junkie or just interested in current events. 

You’ve come to the right place for analysis of the most relevant current events and political issues.

Fitness With BowTiedOx

BowTiedOx provides you a place to find all of his latest programs and guides.

Weekly newsletters that cover fitness, health, and mindset, all grounded in the fundamentals of physiology.

Media Production with BowTied Turkey and BowTied Tamarin

Video is no longer optional.

Don’t get left behind.

Your brand deserves professional videos to engage your audience.

Art & Graphic Design with BowTied Patriot

BowTied Patriot is a graphic artist who specializes in photography, mixed medium custom artwork, and NFT creation.

Join BowTiedPatriot as he dives into making Art in Web3.0 and The Metaverse.

Cooking with BowTiedOctopod

Learn secrets from a fine dining chef for maximum flavor and time-saving efficiency

Newsletters on Ingredients, Techniques and Flavor hacks that will have you eating better. We will never eat bugs!

Meme Warfare with DgenFren

Increase your online engagement, organically influence narratives, and build your online persona by using marketing that your target audience actually wants: memes.

Learn How to Sell with BowTiedSalesGuy

Sales is one of the most transferrable life skills, yet few know how to actually sell.

Traditional sales tactics don’t cut it in today’s hyper competitive world.

Learn the secrets from a Chad Salesman and change your Life forever.

Ecommerce with BowTiedOpossum

Learn the skills to start and build your first online business.

Want to build a business that travels with you?

Learn from an industry veteran that has worked on and with brands you already know.