Nearly $9 million stolen from DeFi platform Crema Finance
Decentralized finance platform Crema Finance announced that it was hacked on Saturday and had about $8.8 million stolen during the attack.
In a series of tweets over the July 4 weekend, the company explained that the hacker used several novel tactics enabling them to take out six flash loans, a common tactic of DeFi attackers.
The company said it is now working with law enforcement and blockchain security companies to trace the stolen funds. In total, the hackers stole 69,500 SOL, which is worth about $2.3 million and stablecoins worth about $6.5 million.
Besides, we just sent out an on-chain message to the hacker’s ethereum address via tx https://t.co/rOZLKyJq82. pic.twitter.com/4FomFWAw3O
— CremaFinance (@Crema_Finance) July 3, 2022
It sent a message to the hackers, offering them $800,000 in exchange for the return of the stolen funds.
"Your addresses on both Solana and Ethereum, have been blacklisted and all eyes are on you right now. You have 72h from now to consider becoming a white hat and keeping $800k as the bounty,” the company said in a note to the hacker.
“And transfer remaining funds back to our contract-update-authority address. Otherwise the police and legal force will officially get involved and there will be endless tracing waiting for you.”
Several blockchain security companies showed that the hacker conducted the exploit by uploading a malicious on-chain program which could then be used to deploy multiple flash loan attacks.
Flash loan attacks are when a hacker uses a fast, uncollateralized loan to target vulnerabilities in a project's design.
1a/: Solend Flash Loans
— Solana.FM (@solanafm) July 3, 2022
Hacker’s wallet: https://t.co/mTjTSD0pVh
The hacker managed to activate 6 flash loans on @solendprotocol:
400,000 $USDH (Solend Stable Pool Vault): https://t.co/JiB5CP2uV2
5,500,000 $USDT (Solend Main Pool Vault: https://t.co/JiB5CP2uV2
cont'd.. pic.twitter.com/m0o2I4GgDI
Flash loan attacks have become one of the most popular ways hackers target DeFi platforms. In April, hackers stole $11.2 million worth of Binance Coin from DeFi platform Elephant Money.
Cream Finance was hit with three different flash loan attacks in 2021, costing the DeFi platform $130 million in October, $37 million in February and another $29 million in August.
Blockchain analysis firm Chainalysis said at least $2.2 billion was stolen from DeFi protocols in 2021. Last month, the Ronin Network announced that hackers stole more than $500 million worth of cryptocurrency, making it one of the largest attacks ever.
Ronghui Gu, co-founder of crypto security firm CertiK, told The Record that the flash loan attack used by the hacker in this incident was specific and surprising in many ways.
“This kind of complicated exploit highlights the constantly shifting frontier of crypto security,” Gu said.
“This is a reminder that hackers are always finding new ways to use old tricks, and for web3 to become a truly secure ecosystem, it requires both the web3 security industry and projects themselves to get better at anticipating, not just responding to, attacks.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.