Decentralized finance protocol startup Crema Finance has temporarily suspended services after a hacker stole $8.78 million in cryptocurrency from the company.

Crema offers a concentrated liquidity protocol or CLMM that provides services for traders and crypto liquidity providers. Liquidity protocol providers offer a solution to illiquid markets by offering rewards to liquidity providers to swap illiquid cryptocurrencies.  The company’s core service is a concentrated liquidity market maker which uses an augmented algorithm to drive decentralized trading.

Crema walked through the details of the hack Sunday on Twitter, explaining that the hacker started by creating a fake “tick account,” one that stores price tick data in CLMM. The hacker then circumvented Crema’s owner verification on the account by writing the initialized tick address of the pool into the fake account.

The second step saw the hacker deploying a contract and using it to make a flash loan from Solana to add liquidity on Crema to other open positions. With the CLMM, transaction fees rely on the data in the tick account, but in this case, swapped the authentic transaction fee data for the fake data. The hacker was then able to claim a fee amount from the pool on the phony transaction.

Upon finding the exploit, Crema suspended all smart contracts and has been working closely with professional security institutes and relevant organizations to track the hacker’s fund movements.

Crema managed to track the stolen funds with the hacker swapping them into balances in Solana and USDCet via the Jupiter swap aggregator. The USDCet was then swapped for Ethereum via the Uniswap decentralized cryptocurrency exchange.

The wallets holding the exchanged funds have been identified with Crema tracking all movements.

“It can’t be more terrible to see this happening, especially in a prosperous time for Crema,” the company wrote. “Now we are working on the technical fixing and fund tracing simultaneously. Contract [sic] will be resumed with issue fixed after the investigation is all done and a resolvement [sic] plan is made.”

The company also noted that it was still open to communicating with the hacker before further action is taken, suggesting that Crema would be happy simply to have the stolen funds returned.

Crema is not the first DeFi company to be hacked. In what is believed to be the largest DeFi hack so far, $600 million in cryptocurrency was stolen from finance platform provider Poly Network in August.

Image: Crema Finance