Crema Finance Attacker Returns Almost $8M, Keeps $1.7M Bounty

The attacker behind the exploit of Solana-based liquidity protocol Crema Finance returned more than $8 million worth of tokens, keeping roughly $1.68 million as a "white hat" bounty, Crema developers said Thursday.

The protocol had more than $9 million worth of cryptocurrencies stolen from its platform over the weekend in a flash loan attack. Flash loans allow traders to borrow unsecured loans from lenders by relying on smart contracts instead of third parties.

“The hacker agreed to take 45455 SOL as the white hat bounty,” the developers said in a tweet. “Now we have confirmed the receipt of 6064 ETH + 23967.9 SOL in the four transactions.”

The developers said a compensation plan will be released in 48 hours for users affected by the attacker.

The protocol allows liquidity providers to set specific price ranges, add single-sided liquidity and conduct range order trading. This makes for a sophisticated and decentralized trading platform.

The exploit involved the attacker creating a fake tick account on Crema. A tick account is "a dedicated account that stores price tick data in CLMM,” the developers said, referring to Crema's market-making protocol. After that, the attacker exploited a command by writing the data on the fake account and circumventing security measures.

A flash loan was then used to manipulate the prices of assets on liquidity pools. This, along with the false data entries, allowed the attacker to claim “a huge fee amount out from the pool,” as previously reported.