Solana-based concentrated liquidity protocol Crema Finance announced that it would temporarily suspend its services to investigate an exploit that stole over $6 million from the protocol.
It announced this on Twitter early today, adding that it will communicate further updates soon. Additionally, the team has secured the services of blockchain audit firm OtterSec to investigate the exploit.
According to a blockchain auditing firm, OtterSec, the hacker used Solend flash loans to drain the protocol pools. The attacker first deployed their on-chain program, so they could use the flash loans.
Then they used the flash loans to call “three key instructions on the Crema contract: DepositFixTokenType, Claim, and WithdrawAllTokenTypes.” With these, they could deposit and withdraw the exact amount they deposited plus additional tokens.
Additionally, the cofounder of Crema Finance, Henry Du, confirmed that an investigation had started.
We are working with some security companies and got support from Solana, Solscan, and Etherscan, etc. We will continue to post any update via official Twitter account.
The Crema team has also reached out to the hacker via an on-chain message to the hacker’s Ethereum address.
Hacker remains unknown
Unfortunately, the hacker’s identity remains unknown, as they disabled the program immediately after the exploit.
Crypto Twitter is already knee-deep in its investigation as it awaits the official investigations. The community has identified a wallet belonging to the hacker. It currently contains 69,422.89 SOL which is equivalent to $2.3 million. Another user claimed that the attacker was already washing the money.
So far, several Solana-based protocols such as Solend, Port Finance, and Solscan have expressed their support and willingness to help.
The temporary suspension of services appears to be an attempt to prevent the hacker from draining its reserves. But some in the community have said that the hacker made off with about 90% of the liquidity on some Crema Finance pools.
Crema Finance just raised $5.4 million
The attack comes only two weeks after Crema Finance raised $5.4 million in a private funding round. Qiming Venture Partners led the funding round, which also included Everest Ventures Group, AGE Fund, Big Brain Holdings, Summer Capital, etc.
Crema Finance is not connected to Cream Finance, the decentralized finance protocol that lost over $100 million to flash loan attacks in 2021.
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.