On July 2, a vulnerability in the ticks account caused an exploit on Solana-based concentrated liquidity protocol Crema Finance for a total amount of $8,782,446. Crema Finance temporarily suspended the program and are now investigating it.
Crema Finance is a powerful concentrated liquidity protocol that provides superior performance for both traders and liquidity providers. It deployed the first concentrated liquidity market maker (CLMM) algorithm on Solana mainnet that allows users to add liquidity within their specified price ranges. Crema aims to redefine the capital efficiency and trading depth in non-evm ecosystems through both its CLMM infrastructure and a series of affiliated innovations such as NFT liquidity farming, smart router, etc.
Hacker’s Solana address is Esmx2QjmDZMjJ15yBJ2nhqisjEt7Gqro4jSkofdoVsvY, and the Ethereum address is 0x8021b2962dB803b73Aa874030B0B42c202E8458F, which are both blacklisted now.
The hacker started by creating a fake tick account, a dedicated account that stores price tick data in CLMM. After that, the hacker circumvented Crema Finance’s owner verification on the account by writing the initialized tick address of the pool into the fake account.
Next, the hacker deployed a contract and used it to make a flash loan from Solana to add liquidity on Crema to other open positions. In CLMM, the calculation of transaction fees mainly relies on the data in the tick account. As a result, the authentic transaction fee data was replaced by the faked data so the hacker completed the scam by claiming a huge fee amount from the pool.
The funds have now been located and Crema Finance will continue tracking its movements. Contracts will be resumed once the issue is fixed and the investigation completed. The company will then create a plan to patch the issue going forward.