Cyber Incident Victim: Cream Finance
Date:
Jul 2022
Location:
South Korea
Summary
A concentrated liquidity protocol on Solana was exploited via flash loans, resulting in the theft of approximately $8.8 million in SOL and stablecoins. The platform temporarily suspended all services to prevent further losses and engaged security firms and blockchain analysts to investigate. After negotiations, the attacker returned $8.3 million while retaining $1.68 million as a bounty, resolving the incident with assistance from incident responders and community tracking of the stolen funds.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 3, 2022, Crema Finance, a concentrated liquidity protocol operating on the Solana blockchain, detected a security breach and immediately suspended all services to prevent further exploitation. The attacker employed six flash loans—a common DeFi attack vector—to drain approximately 69,500 SOL (valued at $2.3 million) and stablecoins worth $6.5 million, totaling $8.8 million in stolen assets at the time of the incident. Crema Finance publicly announced the hack via Twitter, disabled its liquidity protocol functions indefinitely, and initiated an investigation with assistance from security firms TRM Labs, blockchain analytics platforms Solscan and Etherscan, and the Solana team. Crypto community members independently tracked the attacker’s wallet address, which held 69,422.89 SOL, while others estimated that 90% of liquidity had been removed from specific pools. Co-founder Henry Du confirmed the protocol’s suspension and urged users to await official updates, emphasizing that Crema Finance (unrelated to the previously hacked Cream Finance) was coordinating with external responders.
Crema Finance directly contacted the attacker on July 3, offering an $800,000 bounty for returning the stolen funds and threatening legal action if no agreement was reached within 72 hours. Negotiations ensued, culminating in a resolution announced on July 5 where the attacker retained 45,455 SOL ($1.68 million) as a white-hat bounty and returned 6,064 ETH and 23,967.9 SOL, equivalent to $8.3 million at the time. The company publicly acknowledged the recovered funds and thanked TRM Labs and other security researchers for their assistance. The incident highlighted broader DeFi vulnerabilities, with blockchain firm Chainalysis noting that over $2.2 billion had been stolen from DeFi protocols in 2021. Crema’s temporary shutdown and subsequent recovery of most assets underscored both the operational risks inherent in decentralized finance and the emerging trend of negotiated settlements between protocols and attackers.