CremaFinance is the latest DeFi (decentralized finance) platform to be attacked by hackers. It is a liquidity protocol built on the Solana (SOL) network. The situation was first brought to public attention on Saturday when the platform announced suspending services and investigating the exploit. Reportedly, the attacker got away with $8.7 million in assets.
In a recent Twitter thread, CremaFinance has explained how the attacker managed to make away with the sum.
How was the hack carried out on the Solana network?
According to the platform, its tick account was vulnerable to an exploit. A tick account is an account dedicated to storing price tick data from a centralized liquidity market maker (CLMM). Transaction fees are often calculated by CLMMs using information from the tick account.
In the case of CremaFinance, the hackers swapped out actual transaction fee data with bogus data. Due to this, the attacker could withdraw a “large fee sum” from CremaFinance’s liquidity pool, causing enormous losses.
To increase liquidity on CremaFinance and open their positions, the hacker utilized a fraudulent contract to activate six flash loans from the Solana lending site Solend, according to CremaFinance.
Numerous cryptocurrencies were stolen, including Tether and Lido-staked Solana, worth millions of dollars. Per reports, the stolen assets were in the attacker’s Ethereum and Solana wallets. However, SolanaFM has now highlighted these wallets. CremaFinance hasn’t made it official as to how much cryptocurrency is still in its pools.
The event is the most recent of several DeFi exploits that have troubled the industry this year. Twenty million governance tokens worth $30 million at the time that was supposed to be used for a loan made by significant market maker Wintermute were stolen by a hacker last month from the Ethereum scaling solution Optimism.
Elrond Network, a smart contracts platform, saw almost $4 million taken from its decentralized exchange within the same month.
Nevertheless, those are nothing compared to the two biggest DeFi thefts, the $320 million hack of the digital asset bridge Wormhole in February and the $625 million assault on Axie Infinite’s Ronin bridge in March.