CertiK: Crema Finance was attacked and lost $8.8 million
On July 3, 2022, Beijing time, the CertiK security team detected that the Crema Finance project on the Solana chain was hacked, resulting in a loss of approximately US$8.8 million.
Crema Finance is a powerful liquidity protocol built on Solana, providing various functions for traders and liquidity providers. After discovering the hack, the project temporarily halted operations to prevent the attackers from stealing more funds from the platform.
The CertiK security team conducted a preliminary investigation and believes that in this hack, the attackers exploited the contract by using 6 different flash loans in the Solend protocol. The attacker forges the tick account, deposits and withdraws borrowed tokens, and calls the following three functions to achieve the attack: "DepositFixedTokenType", "Claim" and "WithdrawAllTokenTypes". When calling "Claim"When the function is activated, the hacker can obtain additional tokens by using the previously forged tick account.
Crema Finance then contacted the attacker and said that "the hacker has 72 hours to consider becoming a white hat hacker and keep $800,000".
attack steps
attack steps
①The attacker prepares a fake tick account, which is convenient to use when calling the "Claim" function.
②The attacker borrowed the required token by using the flash loan and used it as a deposit when interacting with Crema Finance.
③The attacker calls the "DepositFixTokenType" function, through which the amount borrowed through the flash loan is deposited into the corresponding pool.
④ The attacker obtains additional tokens by calling the "Claim" function.
Whereabouts of assets
Whereabouts of assets
At the time of writing, the CertiK security team estimated the total damage at approximately $8.78 million.
write at the end
write at the end
According to the existing attack process and the information published by Crema Finance, the attack was caused by the lack of verification of the tick account in the code of the project party. As an important data account for storing price information, the source code may not have data source and owner verification, or these verifications can be easily skipped.
Similar lack of account checks is not uncommon. It can be said that how to use the account safely is the top priority of the Solana program. Similar examples include, but are not limited to, lack of account owner verification, mixing data accounts of different users, and so on.
After the attack, CertiK's Twitter early warning account and the official early warning system released the news immediately. At the same time, CertiK will continue to publish information related to project warnings (attacks, fraud, running away, etc.) on the official account in the future.
After the attack, CertiK's Twitter early warning account and the official early warning system released the news immediately. At the same time, CertiK will continue to publish information related to project warnings (attacks, fraud, running away, etc.) on the official account in the future.
