Crema Finance, a centralized liquidity protocol on the Solana blockchain, made an emergency announcement on Twitter to warn users about the project being hacked and forced to suspend operations for processing.
Immediately after realizing the hack on the protocol, Crema Finance suspended liquidity services to prevent the hacker from draining all liquidity reserves, including the funds of service providers and investors.
Crema Finance claims to give the hacker 72 hours to return the money and is allowed to keep $800,000 as a bug bounty reward. If not, the project claims to invite the law to investigate and track down the culprit.
About how hackers attack, Crema currently does not have accurate information. Through the collected data, xNFT account Pierre Arowana had a rough explanation on Twitter:
To attack Crema Finance, the hacker used a flash loan tool on Solend, borrowed an amount of money and then deposited it into the pool. Hackers took advantage of deposit, claim and withdrawal orders to withdraw money. The key here is that the hacker can claim the fee from the pool “comfortably” (usually only those who provide liquidity can claim it, and claim the fee according to the amount divided by the liquidity supply ratio).
xNFT Pierre Arowana commented that this is a fundamental error on Solana, when the account is not fully authenticated, leading to hackers can create fake data to manipulate the project.
Crema Finance is a fairly new liquidity aggregator project on Solana. After being attacked, the project immediately suffered a serious TVL drop (from 12.55 million USD on March 2 to only about 3.8 million USD today).