On July 2nd 2022, DeFi Liquidity Protocol Crema Finance was hacked, and funds worth ~ $8 Million were stolen by a hacker, which resulted in a protocol-wide halt of all the operations. Crema Finance is a Concentrated Liquidity Protocol on Solana that provides a vast range of features to DeFi investors, especially to Liquidity Providers. 

Inside the Attack

The protocol has various pools that they named Concentrated Liquidity Market Maker [CLMM], which is said to be the superior version of Automated Market Maker [AMM]. According to the AMM model, only the liquidity closest to the real-time trading price is used, which means most of the liquidity providers’ capital remains unused in the long run. Resources are being wasted here. Whereas CLMM allows liquidity providers to specify specific price ranges within which their liquidity should be traded. 

After the investigation, the Crema team gave details on Twitter on how the hacker was able to steal such a massive amount of capital from the pool:

  1. The hacker first set up a fake tick account containing the information related to the prices, and the calculation of the transaction fee also depends on the price stored in the tick account.
  2. The protocol does the routine owner check-up on the tick account. Through the fake tick account, the hacker circumvented the routine owner verification.
  3. The hacker then deployed a contract and took a flash loan from Solend (a Decentralized Lending Protocol on Solana) to add liquidity to the CLLM pool on Crema.
  4. Lastly, when the transaction fee was calculated through the fake tick account, the hacker could grab the enormous capital and then withdraw the funds from the protocol draining nearly $8 million. 

The hacker then went and swapped the stolen fund into 69422.9 SOL and 6,497,738 USDCet via Jupiter and then bridged the assets to the ETH network and swapped it for 6064 ETH.

Before launching the legal investigation, the Crema team thought to open a direct negotiation with the hacker, and luckily they could chat with the person. The team offered a bounty of $700,000, but the hacker gave a counter-offer of a bounty of 45455 SOL (~ $1.4 million) in exchange for returning the funds. The negotiation was finalized, and the hacker initiated the refund in various distributed transactions.

To compensate for the loss that the users and investors faced after the hack, the Crema Finance team presented a compensation plan to compensate the affected users through 1.5% of the total hard-cap CRM (15,000,000 CRM) from the team’s allocation.

Lessons Learned From the Attack

With the increase in the use of the DeFi, and the significant uses of flash loans, the chances of making the protocols vulnerable have also increased, which could only be minimized by getting the routine auditing done after every major update/upgrade.

Explained: The Crema Finance Hack (July 2022)
Rob Behnke