Crema Finance Hack

TOTAL LOST $8.8M
Medium Access Control Exploit / Other solana

Summarize with AI

Affected Chain solana Incident surface
Recovered $7.4M 83.6% returned
All-Time Rank #330 By amount stolen
Auditors 1 Prior security audit

Incident Overview

Crema Finance was attacked by a white hat hacker for ~$8.8M who then returned the majority of stolen funds, leaving the attacker with 45455 $SOL as a reward for finding the exploit. The Solana network became the place of the exploit, and all funds were transferred by the attacker through the Wormhole Bridge to the ETH network and swapped to 6K $ETH.

Crema Finance is a concentrated liquidity protocol that provides superior performance for both traders and liquidity providers on Solana network.

The hacker took advantage of the vulnerability of the Crema Finance protocol to withdraw funds from this platform, but after negotiations between Crema Finance and the attacker, they came to an agreement that the hacker would keep 45455 SOL as a reward for finding the vulnerability, and return the remaining funds back to their ETH network address.

Exploit step by step:

1) The hacker created a fake Tick account. Tick Account is a special account that stores price tick data in the Crema Finance platform.

2) After creating a fake Tick account, the attacker bypassed the standard check for the owner of the Tick account. The fraudster wrote the initialized address of the Pool Tick to a fake account in this transaction: https://solscan.io/tx/5kfoGgEvhB…KrLTev

3) Next, the hacker deployed the contract and used it to provide a flash loan from Solend to add liquidity to Crema to open positions. Contract creations transaction: https://solscan.io/tx/JdorRBPfKN…NEKqej

4) Then the hacker used smart contract to lend a flash loan from Solend to add liquidity on Crema Finance to open positions:

A) https://solscan.io/tx/5B4QXpMfpD…bKohGv

B) https://solscan.io/tx/4FaMTKqha9…kTZ83W

5) After that, the hacker exchanged tokens for $SOL, some of which are on the Solana account, and the rest was transferred to the ETH blockchain through the Wormhole.

Attacker addresses:

Solana: https://solscan.io/account/Esmx2QjmDZ…doVsvY

ETH: https://etherscan.io/address/0x8021b2962db803b73aa874030b0b42c202e8458f

Attacker's smart contract: https://solscan.io/account/CiDwX4eMS7…Cz6Bck

Contract creation transaction: https://solscan.io/tx/JdorRBPfKN…NEKqej

Victim address: https://solscan.io/account/Ej4KxxUz73…m2Ejhj

Attacker returning funds transactions:

1) https://etherscan.io/tx/0xb5935f1fc30921733644de621bb64589f57c650a1985cc5d01c9d24ce03a95bb

2) https://etherscan.io/tx/0xe7bda58d0d0e7ffdbdfd13326da8d26312442e078a86d6458c276ecbfc3a3d3a

3) https://solscan.io/tx/5BxSYVzfaN…VJDtrS

4) https://solscan.io/tx/5sN74N2Mb9…LWYjJx

Incident Report

Protocol / Project Crema Finance
Date of Incident
Affected Chain(s) solana
Attack Technique Access Control Exploit / Other
Classification Protocol Logic / Exchange (DEX)
Primary Source View Post-Mortem

Protocol Information

Protocol Type Dexs
Smart Contract Language Rust
Official Website www.crema.finance/
Protocol Twitter/X @Crema_Finance
Team Anonymous
Source Code Verified On-Chain

Market Context at Time of Hack

Token Categories
DeFi DAO Ethereum Ecosystem AMM Yearn Partnerships Governance Solana Ecosystem Lending & Borrowing

What the Attacker Needed to Succeed

Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.

Technical Knowledge Operational-security tradecraft (phishing, malware, leaked seed phrases, or insider access) to obtain treasury signing authority
Capital Required Minimal capital - only enough to cover Solana network fees while draining the compromised accounts
On-Chain Access Valid signing authority over the compromised stake accounts and treasury wallets, allowing direct transfer of funds or stake authorization
Target Reconnaissance Identification of Crema Finance's high-value treasury accounts and the authority / multisig structure controlling them
Execution Speed Speed to drain the compromised accounts before the team detects the breach and revokes signing authority or freezes the assets
Obfuscation Plan A strategy to launder and move stolen funds - typically through mixers, cross-chain bridges, or decentralized DEX swaps to resist tracing

What Auditors Should Check

Could this have been caught in audit? Likely — with a thorough Access Control Exploit / Other audit checklist and test coverage
Audited by Bramah Systems — still lost $8.8M. Prior audits don't guarantee safety, especially after post-audit code changes.

If you're auditing a protocol with similar architecture to Crema Finance, these are the critical security checks that could have prevented this incident (July 2022).

  • Verify all logic paths related to Access Control Exploit / Other are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
  • Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs

Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.

Free Trial

Funds Recovery

83.6%

Recovered

$7.4M

Net Loss

1443200

Security Audit History

Related Attack Classes

The technique used in this hack maps to these vulnerability classes in our security curriculum:

See all Access Control Attacks examples →

Sources & References

Learn to Prevent the Next Crema Finance

The Crema Finance hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.

Recreate exploit patterns safely Free Trial