On July 3, Crema Finance, a centralized liquidity DeFi application on the Solana chain, announced its shutdown due to a hacker attack. The protocol’s official Twitter quoted information from the on-chain browser SolanaFM, stating that the value of the lost encrypted assets was $8.782 million.
Early this morning, Crema Finance disclosed the attacked thread, saying that hackers bypassed contract checks by creating fake price data accounts (Tick accounts), and then used fake price data and flash loans to steal huge fees from the pool.
When disclosing the flow of stolen funds, the data service provider SolanaFM stated that hackers initiated multiple flash loans from Solend, the largest lending platform on the Solana chain, and $6.497 million of the stolen funds had been transferred to the Ethereum network through the cross-chain bridge Wormhole. . Currently, the hacker address has been blacklisted on Solana and the Ethereum chain.
Since the beginning of this year, there have been many security incidents on the Solana chain, including the Wormhole security incident that lost $320 million and the collapse of the stablecoin protocol Cashio due to security vulnerabilities. Some users said they were withdrawing funds from the Solana chain after the Crema Finance security incident.
Crema Finance loses over $8.7 million
Crema Finance’s official website shows that it is a centralized liquidity protocol built on the Solana chain. The application allows users to exchange crypto assets under the Solana standard with low slippage. To date, it has processed more than $1.3 billion in transaction volume, with more than 38,000 user.
On July 4, according to the updated information on Crema Finance’s official Twitter, the attack occurred on July 2. Hackers stole the encrypted assets stored in the application by creating a fake price change data account combined with a flash loan attack. .
According to Crema Finance, the hackers first created a fake "Tick account" account. This type of account is used in Crema Finance to store price movement data. After creating the fake account, the hacker bypassed the platform's routine check on the Tick account by writing the initial Tick address of the fund pool into the fake account; after that, the hacker deployed a contract and used the contract to complete a flash loan from Solend for Crema. Finance's fund pool increases liquidity; in the Crema Finance platform, the calculation of transaction fees mainly relies on the data in the Tick account, "As a result, the real transaction fee data is replaced by fake data, and the hackers obtain huge fees from the pool to obtain Complete the theft."
In short, hackers exploited Crema Finance's "Tick account" vulnerability to manipulate the protocol's fund pool price in a flash loan and profit from it.
SolanaFM, a browser data provider on the Solana chain, tracked the hacker’s capital flow. The agency disclosed that the hacker made at least 6 flash loans from the Solend platform, and 74,010 SOL was found to be transferred from the original wallet to another alternative wallet, Then it was transferred to the Ethereum wallet in 5 batches through the Wormhole protocol.
The latest information from Crema Finance shows that the hackers have exchanged the stolen funds into 69422.9 SOL and 6497738 USDCet, of which USDCet was transferred to Ethereum through the cross-chain bridge Wormhole and exchanged for 6064 ETH through Uniswap. Combined with real-time prices, Crema Finance’s stolen crypto assets are worth more than $8.78 million.
It is reported that the Crema Finance team has contacted the unknown attacker through on-chain messages, and if the hacker agrees to return the stolen assets within 72 hours, the team will pay $800,000. The team said that if the hackers did not comply, they would contact "police and legal forces" to hunt down the hackers.
Currently, the hacker address has been tracked and blacklisted on Solana and the Ethereum chain. As of press time, the hacker address has not changed, and Crema Finance has not resumed operations.
Solana's on-chain application gradually becomes a "cash machine" for hackers
This year, the on-chain ecosystem of Solana, which competes with Ethereum in the DeFi market, has been frequently visited by hackers.
In late March, the stable currency protocol Cashio on the Solana chain completely collapsed due to a security breach. In this incident, hackers exploited a vulnerability in the protocol that allowed them to mint an unlimited supply of CASH without sufficient positions. Due to the event, CASH, which was supposed to be pegged to the U.S. dollar, lost its value.
According to DefiLlama data, in this incident, hackers drained nearly $28 million worth of liquidity from decentralized exchanges on the Solana chain, and DEX Sabre stopped the CASH liquidity pool as a result.
Cashio did not officially disclose the losses caused by the attack, but some security experts estimated that the stablecoin protocol suffered losses of about $50 million based on on-chain data.
The most notorious security incident on the Solana chain occurred in February this year, when Wormhole, a cross-chain bridge connecting Ethereum and the Solana chain, lost more than $320 million in encrypted assets due to a hacking attack, becoming the biggest attack on the Solana chain ecosystem to date. .
At that time, the attacker minted 120,000 encapsulated ETHs on the Solana chain through a vulnerability in Wormhole, and then used Wormhole to exchange 80,000 encapsulated ETHs with legitimate ETHs on the Ethereum blockchain, while another 40,000 encapsulated ETHs were Exchange to other assets on the Solana chain.
This security incident also made the industry begin to pay attention to the security issues of cross-chain bridges. Ethereum co-founder Vitalik Buterin once warned on Reddit about the risks of cross-chain bridges, arguing that holding ETH-native assets on Ethereum is always safer than holding ETH-native assets on Solana.
Some analysts believe that DeFi applications on the Solana chain are frequently attacked, which is related to the fact that some applications are not open source, thus losing the opportunity for white hats to find loopholes for them; in addition, some applications inadvertently copy similar applications on the Ethereum chain The code can also lead to vulnerabilities.
For the DeFi operation team, how to defend against hacker attacks?
Dmitry Mishunin, the founder of DeFi security and analysis firm HashEx, suggested in a recent article that to build a secure DeFi protocol, you must first have experienced blockchain developers, who should have a professional team leader with the ability to build decentralized At the same time, it is also wise to develop with a secure code base. "Sometimes, a less recent library can be the safest choice compared to a library with the latest code base."
“Testing is another thing that any serious DeFi project must do,” says Mishunin, who always emphasizes the importance of decentralized protection of the private keys used to invoke restricted-access smart contract functions, “preferably through Multi-signature decentralizes the public key, preventing one entity from taking full control of the contract.”
( Disclaimer: Readers are requested to strictly abide by local laws and regulations, this article does not represent any investment advice )
Are you going to withdraw funds from the Solana chain?