Logic error, Claim instruction provides additional tokens than original deposit.
Days in Operation:
Crema Finance is a 'Concentrated' liquidity protocol that enables you to swap, earn and build with Crema's programmable liquidity network unleashing the full potential of your assets.
The project announced that the protocol was hacked for approximately $6M. According to Otter Security, unlike previous attacks, this hacker used Solend flash loans to drain the pool. The flash loan calls three key instructions on the Crema contract: DepositFixTokenType, Claim, and WithdrawAllTokenTypes. The attacker is able to Deposit and then Withdraw the same amount of tokens, while receiving additional tokens from the Claim instruction.
Updated 7/6: The project negotiated withthe hacker who returned 6064 ETH + 23967.9 SOL and kept 45,455 SOL as reward.
The hacker leveraged the Wormhole to bridge the stolen assets to Ethereum where they are exchanged for USDC and USDT via Popsicle.
Crema Finance sent an onchain message offering $800k as bounty for the return of the remaining funds.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.