Following Hack, Crema Finance Makes Out Much Better Than Harmony - Recovers $8 Million
"Crema Finance will be taking a slight haircut, but it could have been much worse" [Head Topics. Crema hacker returns $8M, keeps $1.6M in deal with protocol. (Accessed July, 8, 2022)]. "The Crema Finance team awarded the hacker who made off with nearly $10 million in funds from the protocol 16.7% of the stolen funds as a white hat bounty" [Newar. B. Crema hacker returns $8M, keeps $1.6M in deal with protocol. (Accessed July 8, 2022)].
"Crema’s team began an investigation to identify the hacker by tracking their Discord handle and tracing the original gas source for the hacker’s address. Just as it seemed the team may have been onto the secret identity, it announced that it had been negotiating with the hacker. On Wednesday, the hacker returned 6,064 Ether (ETH) and 23,967 SOL worth roughly $8 million" [Id].
.png)
It might be remembered that over this past weekend Crema Finance suffered a flash loan exploit in the sum of ~$9 Million. [A flash loan permits investors to obtain unsecured loans from lenders using smart contracts instead of third parties and must be repaid within the same blockchain block]. [See e.g. Nagoda, K. Yup! Another Day, Another Hack!. (Accessed July 8, 2022)].
The protocol allows liquidity providers to set specific price ranges, add single-sided liquidity and conduct range order trading. This makes for a sophisticated and decentralized trading platform. The exploit involved the attacker creating a fake tick account on Crema. A tick account is 'a dedicated account that stores price tick data in CLMM', the developers said, referring to Crema's market-making protocol. After that, the attacker exploited a command by writing the data on the fake account and circumventing security measures. A flash loan was then used to manipulate the prices of assets on liquidity pools. This, along with the false data entries, allowed the attacker to claim 'a huge fee amount out from the pool'.
[Malwa, S. Crema Finance Attacker Returns Almost $8M, Keeps $1.7M Bounty. (Accessed July 8, 2022)].
The Crema Team "announced on Tuesday before the deal had been reached, that it submitted new code for auditing to ensure that the same exploit did not happen again... The Crema protocol will be back up and running after the audit is complete, according to the team’s tweet. The team will also issue a compensation plan for affected users by July 8" [Newar, supra].
.png)
Crema is lucky to have recovered as much of the funds as it did, considering the calamity that befell the Horizon Bridge on Harmony last month. A hacker stole $100 million in crypto from Harmony’s token bridge and rejected the $1 million white hat bounty to return the funds.
[Id].
Posted Using LeoFinance Beta
At least they got most of it back, but need to tighten up their security though!
Posted Using LeoFinance Beta