The attacker started by creating a fake tick account. A tick account is “a dedicated account that stores price tick data in CLMM,” the developers said, referring to Crema’s market making protocol. After that, the attacker exploited a command by writing the data on the fake account and circumventing security measures.