Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 097Smart Contract Bug

Crema Finance Tick-Account Spoof

A fake tick account bypassed Crema's owner check and harvested fictitious fees via CLMM accounting, draining $9.6M on Solana. $8M returned in white-hat deal.

Date
Victim
Crema Finance
Chain(s)
Solana
Status
Partially Recovered

On July 2, 2022, the Solana concentrated-liquidity protocol Crema Finance was drained of approximately $9.6 million through a fake tick-account injection. Roughly $8M was returned to the protocol as a white-hat settlement; the attacker kept $1.6M as a "bounty."

What happened

Crema's CLMM (Concentrated Liquidity Market Maker) was the Solana analogue to Uniswap v3 — liquidity providers deposited into specific price ticks, and the protocol tracked which ticks were active and how much fee revenue each had accumulated.

Solana programs check the ownership of every account passed to them — accounts have an owner field, and a program will reject any account whose owner is not what it expects. Crema's tick-account check verified the owner field but did not verify that the tick account being passed was actually one of the pool's legitimate ticks.

The attack:

  1. Created a fake tick account owned by Crema's program but containing attacker-chosen state.
  2. Wrote the address of an initialised legitimate tick into a field of the fake account to bypass downstream sanity checks.
  3. Took a flash loan from Solend and used it to deposit liquidity into the Crema pool through the path that referenced the fake tick.
  4. Fabricated the fee-accumulation data in the fake tick to claim a much larger share of the pool's fees than any real LP could legitimately have earned.
  5. Withdrew the fictitious fees — about $9.6M in mixed assets — and repaid the flash loan.

Aftermath

  • Crema paused all pool operations and began on-chain negotiation with the attacker.
  • After approximately a week of negotiation, the attacker returned $8M in exchange for a 45,455 SOL (~$1.6M) bounty.
  • The U.S. SDNY later charged a cybersecurity professional — Shakeeb Ahmed, then employed at an unnamed international tech firm — with the exploit. He pled guilty in 2023.

Why it matters

Crema is one of three foundational Solana DeFi incidents in mid-2022 (alongside Cashio and Nirvana Finance) that hammered home the importance of complete account validation in Solana programs. The standard mitigation — every account passed to a program must be checked for both owner and exact identity (often via PDA derivation) — was already documented in Solana's own developer guidelines, but the cost of skipping it was paid for, in case after case, in real customer funds.

The Crema settlement is also a clean example of the white-hat-by-pressure outcome: the attacker held the funds publicly, on-chain, in identifiable wallets; the team negotiated with full visibility; the eventual settlement bought protocol continuity at a $1.6M cost. The same outcome occurs only when the attacker's identity is either unidentifiable or the funds have already been mixed beyond traceability — usually one of those is true, but not always.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-crema-finance-hack-july-2022
  2. [02]coindesk.comhttps://www.coindesk.com/tech/2022/07/07/crema-finance-attacker-returns-almost-8m-keeps-17m-bounty
  3. [03]ackee.xyzhttps://ackee.xyz/blog/2022-solana-hacks-explained-crema-finance/

Related filings