Solana's on-chain application Crema shut down due to hacker attack

On July 3, Crema Finance, a centralized liquidity DeFi application on the Solana chain, announced its outage due to a hacker attack. The official Twitter account of the agreement quoted information from SolanaFM, an on-chain browser, saying that the value of the lost encrypted assets was 8.782 million US dollars.

In the early hours of this morning, when Crema Finance disclosed the attacked thread, it stated that hackers bypassed contract checks by creating false price change data accounts (Tick accounts ), and then used false price data and flash loans to steal huge fees from the fund pool.

When disclosing the flow of stolen funds, the data service provider SolanaFM stated that hackers initiated multiple flash loans from Solend, the largest lending platform on the Solana chain, and $6.497 million of the stolen funds have been transferred to the Ethereum network through the cross-chain bridge Wormhole . Currently, the hacker address is blacklisted on the Solana and Ethereum chains.

Since the beginning of this year, a number of security incidents have occurred on the Solana chain, including the Wormhole security incident that lost $320 million and the collapse of the stablecoin protocol Cashio due to security vulnerabilities. Some users said they were withdrawing funds from the Solana chain after the Crema Finance security incident.

Crema Finance loses more than $8.7 million

The official website of Crema Finance shows that it is a centralized liquidity protocol built on the Solana chain. The application allows users to exchange encrypted assets under the Solana standard with low slippage. users.

On July 4th, according to the updated information on Crema Finance’s official Twitter, the attack occurred on July 2nd. Hackers stole encrypted assets stored in the app by creating false price change data accounts and combining flash loan attacks. .

According to Crema Finance, hackers first created a fake "Tick account" account. This account is used at Crema Finance to store price movement data. After creating the fake account, the hacker bypassed the platform’s routine check of the Tick account by writing the initial Tick address of the fund pool into the fake account; after that, the hacker deployed a contract and used the contract to complete the flash loan from Solend for Crema Finance's fund pool increases liquidity; in the Crema Finance platform, the calculation of transaction fees mainly relies on the data in the Tick account, "As a result, the real transaction fee data is replaced by forged data, and hackers claim huge fees from the pool. Complete the steal."

In short, hackers used the "Tick account" vulnerability of Crema Finance to manipulate the price of the fund pool of the agreement in the form of flash loans, and profited from it.

SolanaFM, the browser data provider on the Solana chain, tracked the hacker’s fund flow. The agency disclosed that the hacker made at least 6 flash loans from the Solend platform, and 74,010 SOL was found to be transferred from the original wallet to another alternative wallet. Then it was transferred to the Ethereum wallet in 5 batches through the Wormhole protocol.

The latest information from Crema Finance shows that hackers have converted the stolen funds into 69422.9 SOL and 6497738 USDCet, of which USDCet was transferred to Ethereum through the cross-chain bridge Wormhole and converted into 6064 ETH through Uniswap. Combined with real-time prices, the stolen encrypted assets of Crema Finance are worth more than $8.78 million.

It is reported that the Crema Finance team has contacted the unknown attacker through chain messages, and if the hacker agrees to return the stolen assets within 72 hours, the team will pay $800,000. The team said that if the hackers did not comply, they would contact "police and legal forces" to hunt down the hackers.

Currently, the hacker address has been tracked and blacklisted on the Solana and Ethereum chains. As of press time, the hacker address has not changed, and Crema Finance has not yet resumed operations.

The application on the Solana chain is gradually becoming a hacker's "cash machine"

This year, the ecology on the Solana chain, which competes with Ethereum in the DeFi market, has frequently encountered hackers.

In late March, Cashio, the protocol stablecoin protocol on the Solana chain, completely collapsed its stablecoin CASH due to a security breach. In this incident, hackers exploited a vulnerability in the protocol that allowed them to mint an unlimited supply of CASH without sufficient positions. CASH, which was supposed to be pegged to the U.S. dollar, lost value due to the incident.

According to data from DefiLlama, in this incident, hackers consumed nearly $28 million worth of liquidity from the decentralized exchange on the Solana chain, and DEX Saber therefore stopped the CASH liquidity pool.

Cashio officially did not disclose the losses caused by the attack, but some security experts estimated based on on-chain data that the stablecoin protocol suffered losses of about $50 million.

The most notorious security incident on the Solana chain occurred in February this year. At that time, Wormhole, a cross-chain bridge connecting Ethereum and the Solana chain, lost more than $320 million in encrypted assets due to hacking attacks, becoming the largest attack on the Solana chain ecology so far. .

At that time, the attacker minted 120,000 encapsulated ETH on the Solana chain through the loophole in Wormhole, and then used Wormhole to exchange 80,000 encapsulated ETH for legal ETH on the Ethereum blockchain, and at the same time, another 40,000 encapsulated ETH Convert to other assets on the Solana chain.

This security incident also caused the industry to pay attention to the security issues of cross-chain bridges. Ethereum co-founder Vitalik Buterin warned on Reddit of the risks of cross-chain bridges. He believes that holding ETH native assets on Ethereum is always safer than holding ETH native assets on Solana.

Some analysts believe that the frequent attacks on DeFi applications on the Solana chain are related to the fact that some applications are not open source, thus losing the opportunity for white hats to find vulnerabilities for them; in addition, some applications carelessly copy similar applications on the Ethereum chain code may also lead to vulnerabilities.

For the DeFi operation team, how to defend against hacker attacks?

Dmitry Mishunin, founder of DeFi security and analysis company HashEx, suggested in a recent article that to build a secure DeFi protocol, you must first have experienced blockchain developers. They should have a professional team leader with the ability to build decentralized At the same time, it is also wise to use a secure code base for development. "Sometimes, compared with a library with an up-to-date code base, a library that is not very up-to-date may be the safest choice."

"Testing is another thing that all serious DeFi projects must do." Mishunin said, he always emphasized the importance of decentralized protection of those private keys used to call restricted access smart contract functions, "It is best to pass Multisig decentralizes the public key, preventing one entity from taking full control of the contract.”