Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Crema is an Automated Market Maker (AMM) that allows users to concentrate their funds into a specific zones for trading. This allows users to use of their resources, instead of a small fraction of them. With this model, liquidity providers can specify price ranges for when their liquidity should be traded.

The issue was susceptibility to flash loan attacks. First, the attacker created a tick account. This is an account dedicated to storing the price data of the AMM.

Next, they took out a large flash loan to add the liquidity to Crema. The calculation of the fees relies on the data from the tick account. Since the tick could be controlled by the attacker, this was sending out malicious data. Particularly, it sent that the fee for a transaction was gigantic, stealing a large amount of capital in the process.

Since the attacker took out the flash loan, the impact was quite dramatic. They owned a large amount of the transaction fees (with their large capital) and the tick account with the large transaction fee being provided. This resulted in a large amount of money from the protocol being stolen.

My question is how does somebody get to set the price of the transaction fee? That seems really strange that an account can be created and simply do that. The protocol has some verification steps, but this was trivial bypassed.