CremaFinance closes investigation into hack, recovers most funds

The hacker accepted the protocol’s offer to keep a part of the stolen funds in exchange for immunity to further investigation, CremaFinance said.

CremaFinance, a liquidity protocol built on Solana, announced it has successfully recovered most of the funds stolen as a result of a hack that occurred on Saturday. The operation was carried out in collaboration with crypto security firm TRM Labs, who Crema said it would continue working with on a permanent basis.

Crema also thanked on-chain sleuths ZachXBT and OtterSec for their involvement in the investigation. According to ZachXBT, the hacker “did a relatively poor job of covering their tracks” and was identified based on “two suspiciously timed Tornado withdrawals.”

The hacker was then approached by Crema and after “long” negotiations agreed to keep 45,455 SOL as bounty, returning the rest. In exchange, Crema said it would not pursue further investigation or involve “police and legal force.” They then returned 6,064 ETH and 23,967.9 SOL.

As hacks in DeFi become increasingly common, some crypto experts have argued that protocols’ security should rely on bug bounty programs and even hostile hack management, incentivizing hackers to exploit flaws in good faith.

Total value locked dropped 69%

The hack, which was made possible by a fake tick account, resulted in 69,422 SOL (about $2.2 million) and 6,064.44 ETH (approximately $6.5 million) getting drained. The TVL of CremaFinance then dropped 69% to $3.87 million, overnight.

Chart showing 69% drop in CremaFinance TVL.
CremaFinance TVL dropped 69% in a single day. Source: DeFi Llama

The team has submitted a new code base for an external audit at SlowMist, another blockchain security firm that played a part in the investigation. For now, all operations remain suspended, but Crema said it would resume trading when the audit is completed.