Solana-Based Liquidity Protocol CremaFinance Hacked for $8.7M

CremaFinance said Sunday it was “temporarily” suspending its service while it investigates a debilitating flash loan exploit


Blockworks exclusive art by axel Rangel


key takeaways

  • Hackers raided CremaFinance liquidity pools over the weekend, forcing the protocol to pull the plug
  • The incident is the latest in a string of exploits that have plagued the beleagured decentralized finance sector this year

Solana-based liquidity protocol CremaFinance has become the latest DeFi (decentralized finance) platform to fall victim to hackers.

First brought to attention to users on Saturday, CremaFinance said it was temporarily suspending service and investigating the exploit, believed to have totaled more than $6.4 million in digital assets at the time.

That figure was later revised to stand at over $8.7 million, Solana blockchain explorer SolanaFM said in a tweet. The hacker exploited a vulnerability in the protocol’s tick account, CremaFinance said.

A tick is a dedicated account that stores price “tick data” from a centralized liquidity market maker (CLMM). In DeFi, CLMMs typically calculate transaction fees based on data in the tick account.

In CremaFinance’s case, the authentic transaction fee data was replaced by the hacker’s faked data. This allowed the attacker to claim a “huge fee amount” out of CremaFinance’s liquidity pool, resulting in epic losses.

The hacker deployed a malicious contract and used it to activate six flash loans from Solana lending platform Solend in order to add liquidity on Crema and open their positions, CremaFinance said.

Millions of dollars in various cryptocurrencies, including tether and lido staked solana, were taken. Stolen funds are being held in the hacker’s Ethereum and Solana wallets, which have since been flagged by SolanaFM. CremaFinance is yet to confirm exactly how much crypto was left in its pools.

The firm announced it had raised $5.4 million in a private fundraising round just two weeks ago. CremaFinance is not to be confused with DeFi’s Cream Finance, which has suffered multiple “flash loan exploits” in the last year, including a $130 million hack in October.

But the incident is the latest in a string of DeFi exploits that have plagued the sector this year. Last month, a hacker stole 20 million governance tokens from Ethereum scaling solution Optimism, worth around $30 million at the time, that were intended for a loan deployed by major market maker Wintermute.

In the same month, smart contracts platform Elrond Network witnessed around $4 million siphoned off its decentralized exchange.

Still, those pale in comparison to digital asset bridge Wormhole’s $320-million hack in February and April’s $625-million attack on Axie Infinite’s Ronin bridge — the two largest DeFi thefts to date.

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

MON - WED, MARCH 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience:  Attend expert-led panel discussions and fireside chats  Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts   Grow your network […]

recent research

Pyth Cover.jpg


Pyth is a low latency pull-based oracle. In a future that looks increasingly high frequency, with various alt L1s and L2s that have significantly shorter block times than Ethereum, and an explosion of “high-frequency” protocols such as oracle or CLOB perp DEXs, Pyth’s low latency oracle product looks much better positioned to capture a significant amount of market share in comparison to competitors.


Binance and its former CEO have pleaded guilty to federal charges of over $4.3 billion


Comments come as Binance is set to pay and forfeit $4.3 billion to US regulators, while Changpeng Zhao agrees to step down


Binance will pay $4.3 billion as part of the settlement announced Tuesday


Binance’s newest CEO has a history of holding regulatory positions


An exploiter tried to drain funds from Indexed Finance DAO but was caught after refusing to share the funds with a blackmailer


The DOJ made the plea agreements of Binance and Changpeng Zhao public on Tuesday