Solana: They stole $8.7 million with a single click, Crema Finance in PLS

DeFi is still biting the dust – Security is a vital feature for a DeFi protocol that wants to thrive. In fact, some pirates Always informed about slightest error. protocol CremaFinance, hosted on SolanaI just learned the hard way after hacking up to $8.7 million.

Pools of withdrawn money: Crema Finance loses a lot of money

financial cream It is a decentralized exchange protocol hosted on the Solana blockchain. Specifically, it offers concentrated liquidity poolsenabling efficient swaps with very little slippage.

On Saturday, July 2, the protocol alerted its users that a file abusive Targeting its own liquidity pools is in progress. Apparently the protocol teams quickly suspended the latter to try and limit the damage.

Crema Finance has alerted its users that an attack is in progress – Source: Twitter

A few hours later, the balance sheet fell. The intruder has He stole $8.7 million in cryptocurrencies. In more detail, his treasury consists of 69,422 SOL and 6,497,738 USDCet. Unsurprisingly, the funds were quickly sent to the Ethereum blockchain via the bridge wormy. It was then exchanged there for 6064 ETH on Uniswap.

The difference Actively advertise follow-up funds and less transfer. Moreover, the latter said to themselves open to negotiationleaving an opportunity for the attacker to return the money for a prize.

>> Safe platform to buy your cryptocurrency? Join PrimeXBT (affiliate link) <

Retail Account & Quick Loans: The Profitable Hacker Group

On Sunday, July 3, Crema Finance teams posted the first postmortem autopsy via Twitter, allowing the attack to be traced.

On Sunday, July 3, Crema Finance teams published an autopsy of the attack that stole $8.7 million.
An autopsy posted by Crema Finance the day after the hack – Source: Twitter

To tell the truth, the attacker carried out his attack in Smart contract scams From CremaFinance. To do this, he created a file forged Retail Account. For information, the Retail accounts Help in storing the price of a particular pair in the stock exchange.

This allowed him to pass his address as a legitimate address to give the price of the asset. Then he deployed a smart contract to perform multiple flashes Loans on SolendBy borrowing:

  • 400,000 USD
  • 5,500,000 USD
  • 10500 ml mol
  • 57000 stSOL
  • 840,000 PAI.

The borrowed money was subsequently deposited in the liquidity pools of Crema Finance. Finally, use the attacker Retail Account damaged for inflated fees associated with deposits.

At Crema Finance, the calculation of transaction costs is primarily based on data from Retail Account. Thus, the real transaction fee data was replaced with fake data, so the hacker completed the theft by claiming a huge amount of fee from the pools. »

Postmortem for Crema Finance

Crema Finance about to find its hacker?

During the investigation, Crema Finance teams have succeeded Find ethereum address from the attacker.

By analyzing this closely, we see that the attacker’s address made a 5 ETH transaction a few hours before the attack. In practice, this transaction leads to the first address, as the money is sent directly to the second address, which we will call 0x077D.

In fact, this address has a large balance of ETH which fluctuates constantly, interspersed with entries and exits every few minutes. Since its inception, it has received more than 300,000 ETH.

Looking at the comments associated with this address on Etherscan, we can see that this is the address Related to another scamIt may have been the same hacker.

Comment at address 0x077D.
Comment on address 0x077D

While searching for more information about this address, we came across netizens explaining that their money was transferred there after being stolen in scams of this nature. ‘fake gift’. these fake giveaways Especially through life YouTube channels have been hacked.

In the end, our attacker may not be one Not on his first try. If this is indeed the case, there is little chance of trying to negotiate with Crema Finance teams regarding refunds for a reward.

Recently, the protocol X Carnival He was also the target of an attack. Fortunately for the protocol, the attacker has I agreed to return half of the stolen money.

Hacks are unfortunate risks but not inevitable. Play it safe and Register now on PrimeXBT (Referral link).

Leave a Comment