Crema Finance Hack
Incident Overview
Crema Finance was attacked by a white hat hacker for ~$8.8M who then returned the majority of stolen funds, leaving the attacker with 45455 $SOL as a reward for finding the exploit. The Solana network became the place of the exploit, and all funds were transferred by the attacker through the Wormhole Bridge to the ETH network and swapped to 6K $ETH.
Crema Finance is a concentrated liquidity protocol that provides superior performance for both traders and liquidity providers on Solana network.
The hacker took advantage of the vulnerability of the Crema Finance protocol to withdraw funds from this platform, but after negotiations between Crema Finance and the attacker, they came to an agreement that the hacker would keep 45455 SOL as a reward for finding the vulnerability, and return the remaining funds back to their ETH network address.
Exploit step by step:
1) The hacker created a fake Tick account. Tick Account is a special account that stores price tick data in the Crema Finance platform.
2) After creating a fake Tick account, the attacker bypassed the standard check for the owner of the Tick account. The fraudster wrote the initialized address of the Pool Tick to a fake account in this transaction: https://solscan.io/tx/5kfoGgEvhB…KrLTev
3) Next, the hacker deployed the contract and used it to provide a flash loan from Solend to add liquidity to Crema to open positions. Contract creations transaction: https://solscan.io/tx/JdorRBPfKN…NEKqej
4) Then the hacker used smart contract to lend a flash loan from Solend to add liquidity on Crema Finance to open positions:
A) https://solscan.io/tx/5B4QXpMfpD…bKohGv
B) https://solscan.io/tx/4FaMTKqha9…kTZ83W
5) After that, the hacker exchanged tokens for $SOL, some of which are on the Solana account, and the rest was transferred to the ETH blockchain through the Wormhole.
Attacker addresses:
Solana: https://solscan.io/account/Esmx2QjmDZ…doVsvY
ETH: https://etherscan.io/address/0x8021b2962db803b73aa874030b0b42c202e8458f
Attacker's smart contract: https://solscan.io/account/CiDwX4eMS7…Cz6Bck
Contract creation transaction: https://solscan.io/tx/JdorRBPfKN…NEKqej
Victim address: https://solscan.io/account/Ej4KxxUz73…m2Ejhj
Attacker returning funds transactions:
1) https://etherscan.io/tx/0xb5935f1fc30921733644de621bb64589f57c650a1985cc5d01c9d24ce03a95bb
2) https://etherscan.io/tx/0xe7bda58d0d0e7ffdbdfd13326da8d26312442e078a86d6458c276ecbfc3a3d3a
3) https://solscan.io/tx/5BxSYVzfaN…VJDtrS
4) https://solscan.io/tx/5sN74N2Mb9…LWYjJx
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Crema Finance, these are the critical security checks that could have prevented this incident (July 2022).
- Verify all logic paths related to Access Control Exploit / Other are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialFunds Recovery
Recovered
$7.4M
Net Loss
1443200
Security Audit History
- Bramah Systems Report
Related Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
- 01
- 02
- 03
- 04
- 05
- 06
Learn to Prevent the Next Crema Finance
The Crema Finance hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.