Crema Finance Issues Recovery Plans After $8.8M Crypto HackAudit, Bounty Plan Issued Following $1.7M Bounty Paid to Hacker for Stolen Funds
Crema Finance has published its compensation and recovery plans following last week's $8.8 million hack on the decentralized finance platform. The hacker has returned the stolen funds in exchange for a $1.68 million "bounty" offered by the company.
Crema Finance is a concentrated liquidity protocol built on the Solana blockchain.
Prior to revamping the protocol over the coming weeks, the company in its Friday blog post says it intends to:
- Have multiple auditors review its new smart contract;
- Manage risk with crypto insurance;
- Set up a new bug bounty program.
Bramah Systems, which originally audited the Crema Finance smart contracts, did not respond to Information Security Media Group's request for comment.
Crema Finance has also detailed in the blog post its compensation plans, which will re-enable the affected parties to withdraw funds and reclaim their on-chain governance powers, which allow governance token holders to manage and implement any new changes on the blockchain.
On July 2, a hacker conducted an exploit by uploading a malicious on-chain program to deploy multiple flash loan attacks over the course of a few hours, blockchain security company CertiK tells Information Security Media Group.
In a flash loan attack, bad actors use a fast, uncollateralized loan feature - called flash loans - to target vulnerabilities in a project's design.
The hacker stole $8.8 million worth of cryptocurrencies during this period. Crema Finance suspended its smart contract to minimize the impact of the hack and retained cryptocurrency security organizations to investigate the incident, it says in a tweet. The company also details the hacker's attack steps in the tweet thread.
SolanaFM Explorer tracks the path of the stolen assets:
On 2nd July, a vulnerability in the ticks account caused an exploit on @Crema_Finance for a total amount of $8,782,446. We worked closely with the Crema team alongside @osec_io to break down the movement of the stolen funds following the exploit. pic.twitter.com/3MdXqEalu8— SolanaFM: EXPLORER UP! (@solanafm) July 3, 2022
The same day, Crema Finance sent an on-chain message to the hacker's Ethereum address, offering them an $800,000 "bounty" in exchange for the stolen funds.
"Your addresses on both Solana and Ethereum, have been blacklisted and all eyes are on you right now. You have 72h from now to consider becoming a white hat and keeping $800k as the bounty," says the company's note to the hacker.
On July 6, the negotiations between Crema Finance and the hacker concluded, with the former agreeing to pay the bad actor a "bounty" of about $1.68 million. "After a long negotiation, the hacker agreed to take 45455 SOL as the white hat bounty. Now we have confirmed the receipt of 6064 ETH + 23967.9 SOL in four transactions indicated below...," Crema Finance says in a tweet.
"Such bargaining tactics are becoming standard practice in responding to an attack, yet typically with little results," Ronghui Gu, co-founder of CertiK, tells ISMG.
The Crema Finance incident also highlights the constantly shifting frontier of crypto security, Gu says.
"This is a reminder that hackers are always finding new ways to use old tricks, and for web3 to become a truly secure ecosystem, it requires both the web3 security industry and projects themselves to get better at anticipating, not just responding to, attacks," he says.
Flash Loan Attacks
Flash loan attacks are becoming increasingly popular among hackers. A total of $308,002,694 was lost due to 27 flash loan attacks in the second quarter of 2022, the highest number ever recorded, CertiK says in a Web3 security report shared with ISMG.
The number of attacks increased 66.7% from Q1 to Q2, and the amount of funds lost increased 2,000% during the same period, the report says.
The $182 million Beanstalk Farms incident and the $79 million flash loan attack against Fei Protocol were the biggest contributors to Q2 numbers. Fei Protocol had offered a $10 million "no questions asked" bounty to hackers in an attempt to recover some of the funds stolen from its recently merged decentralized autonomous organization partner Rari Capital.
To put the numbers in perspective, the biggest flash loan attack in Q1 was the $3 million attack against Deus Finance, the report says.