Crema Finance is a liquidity pool based on CLMM (Concentrated Liquidity Market Maker) that allows liquidity providers to set specific price ranges, add single-sided liquidity and do range order trading.
What happened
On July 2, 2022, the pool was subject to an exploit, draining over $8M worth of assets. The hacker used a combination of flash-load and exploitation of owner verification.
The project is closed source, so the information about the hack is limited. The only publicly available security audit took place in October after the incident.
Exploit Details
According to Crema Finance’s tweet, the CLLM depends on a tick account containing information about the price tick data. The attacker created a fake tick account and circumvented the owner check by writing the initialised tick address of the pool into the fake account. After that, he took a flash loan from Solend and used it to deposit liquidity to the Crema liquidity pool. As the tick price is related to the calculation of transaction fees, the attacker was able to claim lots of fees by spoofing in the fake tick account. Finally, he withdrew the original tokens deposited and returned the flash loan.
After the incident, Crema Finance suspended the protocol and offered the hacker an $800k white hat bounty via on-chain message to the hacker’s Ethereum address. After negotiations, the hacker agreed to take the 45455 SOL bounty (approximately $1.5M at that time) and returned the rest to the protocol.
In simple words, everything points again to the common problem that the input accounts were not properly checked, similar to the Wormhole and Cashio cases, however as the protocol is closed source, some details may be missing.
References
