Crema hacker returns $8M, keeps $1.6M in deal with protocol

The hacker who exploited Solana-based liquidity protocol Crema Finance on July 2 returned most of the funds but was allowed to keep $1.6 million as a white hat bounty.

The bounty, 45,455 Solana (SOL), is worth a generous 16.7% of the $9.6 million Crema lost initially, which forced the protocol to suspend services.

Crema’s team began an investigation to identify the hacker by tracking their Discord handle and tracing the original gas source for the hacker’s address. Just as it seemed the team may have been onto the secret identity, it announced that it had been negotiating with the hacker. On Wednesday, the hacker returned 6,064 Ether (ETH) and 23,967 SOL worth roughly $8 million.

After a long negotiation, the hacker agreed to take 45455 SOL as the white hat bounty. Now we have confirmed the receipt of 6064 ETH + 23967.9 SOL in four transactions indicated below. A follow-up compensation plan will be released in 48h.

— CremaFinance (@Crema_Finance) July 6, 2022

The hacker returned the funds in a series of transactions on Ethereum and Solana networks. The first transaction on each network was a test with a negligible amount of coins, while the following was worth the majority of the funds sent.

Users of Crema and the team have reason to rest easier now that the funds have been secured, but there is still work to do. The team announced on Tuesday before the deal had been reached, that it submitted new code for auditing to ensure that the same exploit did not happen again.

Although the community awaits an official post-mortem on the attack, the Crema team outlined what happened in a Sunday thread on Twitter. The attacker took out a flash loan from the Solend decentralized finance (DeFi) lending protocol, which was added as liquidity to a Crema pool.

The hacker then fabricated pricing data to make it seem as though they were owed a much bigger reward than they should have. This allowed them to take “a huge fee amount,” worth about $9.6 million from the pool to, which they added the flash loan.

Related: Dutch University set to recover more than twice the paid BTC ransom in 2019

The Crema protocol will be back up and running after the audit is complete, according to the team’s tweet. The team will also issue a compensation plan for affected users by July 8.

Crema is lucky to have recovered as much of the funds as it did, considering the calamity that befell the Horizon Bridge on Harmony last month. A hacker stole $100 million in crypto from Harmony’s token bridge and rejected the $1 million white hat bounty to return the funds.