Cheese Bank Detailed Statement

What happened

On November 6 (GMT), hackers used the dydx flashloan to launch an attack on Cheese Bank, resulting in a loss of more than $3.3 million.The hacker transferred 1 ETH on the anonymous platform for the initial handling fee. By calling dydx’s flashloan contract, the hacker borrowed 21000 ETH, and used 50 ETH to purchase 107232 Cheese in Uniswap. 107232 Cheese and 78.8 ETH were added into the Uniswap liquidity pool to obtain Cheese-ETH UNI LP tokens, and all of them were deposited into Cheese Bank. After this operation, hackers continued to use 20000 ETH to attack the Cheese token price in Uniswap, resulting in the instantaneous increase of the value of Cheese-ETH UNI LP tokens by 300 times, and the stable currencies such as USDT/ USDC / Dai of Cheese Bank are all borrowed up. 58812 USDC in the stolen funds were converted into 132 ETH to pay the fees during the attack. After that, all the stolen assets were converted to BTC through multiple DeFi platforms, renBTC and other institutions. The subsequent complex and intensive transfer operations are continued.

Actions taken by Cheese Bank team

1. The deposit function is temporarily paused
2. Main exchanges informed of this attack
3. Working with security experts, block-chain analysis providers
4. Dev and security processes are being reviewed
5. Filed investigations in related countries
6. Fixed the relevant bugs involved in the incident：

• Fix the problem of LP price generation mechanism, use Uniswap moving average price to smooth the instantaneous price fluctuation, making the flashloan attack more difficult
• After preliminary calculation, the price fluctuation threshold is set. If the price fluctuation exceeds a certain threshold in a short period of time, it will not be adopted, so as to minimize the income obtained by attackers. In the future, the threshold will be further optimized so that the attacker can not gain profits through the price attack (view more on the part of next possible step)
• Set the price refresh authority. Under special circumstances, the team can refresh the price through the administrator’s authority, so that the price can return to the market level (this is a temporary treatment measure, and will be removed after launching further improvements)

Address related to the attack

Attacker’s wallet: 0x882d72aaae187f54e85c7a0cb19dfec5316cd9aa

Attacking Contract: 0x9e0259437804c7bf175421a451bc80611a0b93c3

Stolen Assets deposition address: 0x02b7165D0916E373f0235056a7e6FCcdb82d2255

Attacker’s address when retrieving BTC: bc1q8eraa350aw8tcmftulrjnagrtexaukz0mzv8u6

Part of the addresses the attacker to transfer BTC

18F8R5sFbPRuNzPe9nKiPV72jhLNWKSxBm

3JNPxwpBqUuvFSFCdj2ZKaTkn1riygJ3bc

bc1q7fkuj48fuus2k90escf5h7mm2dctzu79vuyu30

bc1qkl508lqgmg052mu0vu4flg022l74s7s0styjvp

3NNi3mZhrBpx7nFrxgG5PTPpo9abGUwoCD

1EovLRynmhV2WNtSuD8zSnGeFZYPE17tK8

1Lx4fuNsD4MjA2hWF7hctmmjpgiC8kTuep

14z1JiLLiRZFYMSQpPfszbkwdequaxqbW4

1GZsBEuybC15axLkKhWw6LXjepoB1EMeB6

1FLTK2gbwZowdWY65d4UZfVAqXVbB3EqYm

3M3uCSqjo1TiMeo9iFzxXH9SXpbgRd3D4R

bc1q9z8rrrqrfaxuwm9wr6d6ajdaysqk3mze3ppzu3

bc1qfj708765t5vnlsqz2uymwws53nvdzhhljurng4

1BDn8wXEodpMzP4G7V27Nztv4vp7pHrPW8

1KpudrBRpjZxJ2ZBeYy6R8xSeECSFrAdyz

1HCBUU9C3dfBPDx1WPXsFY595FhEWGTj3C

1FomPPUQbhgUHYCo5NN2pRvYr254zb4eRL

1HuvmCBh4CVwvtXQQECk51LV89wZdQaraj

1KghogGG2D6xzFvLwx6uTr5YGNFT5jC3P

15e6XbibjXrYqZ8fkqus4xoR4G9qbmXCF9

1F5DYeTmuHKESjE4DVVGXH8HWM7TFxP87u

32sBB6YNMT9BmbJCVM5VuTuBy3agb4EYqP

37gqaYKM2d67Yx3FnYE7EaNP2vhG2HS9mM

1GoCEuaDzegBYn2ThFFfrG87Xa6ggHZFfT

1DFBkadYZSfAmdAff5qagFKoDuWKAuSYoP

1DAj1P8smLGUR8y8exBHU7VY2bXhw2NTcN

15eWFYqZhkp9A5i3TZtJup2BYznkBGKMhj

19qTpSHx86psLjz6zqxFF2bRJxy7AbFnLa

bc1q2j46da5ht2mqfz6tyta5eupujtdy9wzn0tuj8r

18a67Kko8FSHM95JkaX2nCiKMomT7mEG99

1KXfBP2YTyZsN5vamAxgNWgfEN7f78Mejy

1GsfRr1h7w74qg61ZXB9Y2rhX3dzVNv5Uk

1HKNCCd5mvrY99ioPQfUnDg2wkgCNvVA8M

34T8Zk7ExYJfmdgnNfr1KMtRZ6fSn8caL4

1QE1ZjzeV13pBAMbzfBdZ8oC23F7ugx6Tj

bc1qsmht2jqz53kg9e5en373hyelatk05ujte93rtn

1JzZSqHhnnfzNyFkcHtqcwD3PrkMiG8bbD

1F1bRXmoQX9U2aqND36Uzw92EQdqSVjGru

145bsmL93icXQAEQNYPx7NGkMLyZYfbztr

16e7o53A27iBfKhMLLMw49h8ABUps8d2iV

3N6iroGcEu8UwZLsPDQfQCk6vjRE8rndyP

1LrbjZrpQ6DY2nqPR3Jve6d1ZPHeoqTssh

1155jCBDHzdfbEXDMtFSQhVFpQuZewU3qD

35G6CmwJuXMQASjATphQvvXLxgHgV9bFce

1HnBgKUmoDvmCncmHRj8d66ZJUhh6hbcRA

3HtAawMXPPcuqjrKqpgx1YZQ1b82sud4x1

14NEtCWaUb7d7S5bzRf3ar4yGXzyARrNAv

1JQDayFfSkJvZ52jbJv8SZNE3joXLv3Ywk

1QDBMM5VUYnYWX3JBH8kjSn6yt82RMpHVt

1Nd2RhFaXLGdUBVNviZbdwvSxFWiuAq2NM

1Pgopx47qYzfW2YTUBCMutoNeMjxf47iqF

1DszZPG4ubAHJ5F1cgSLm2nRJwaYXYLi2f

3BGjNdCsb2v3K5sEmcUvcFXRxKCLSrSyTj

36GmNTX467AnVddbXteNMCE7fFT9AMqTYo

1GDdNFgrwcua54ob3NKZnEzoFiWf5d6Zkz

3QeLaBDPkLjrCRonr2vtvtrNH8ieeVN18d

194KZcRtTmrfa5shfyuEzvsVY16GuQLq9d

16T6Duph2tTP4nciWkNV7Z7HYDzQPiohsS

1NLpSqFJtaR4Df3SnEwTSV4aA51sDhQM7j

3QxHS7UsDqLNX5uYtAaoztafUBpWeG4rbv

16vnhg2PnFBm68CVQrcVSvpBVZrSwu8fcH

Next possible steps

1. Review the code and security procedures, and will publish a post-mortem with our analysis
2. Continue to Keep cooperating with the tracking of stolen asset, and disclose information to the community while the case doesn’t in confidential procedures
3. Further Improvement of LP price refresh mechanism:

• Forbid flashloan or related contract to call price refresh by means of preventing the flashloan attacks
• Numerical simulation will be used to refine the threshold of price fluctuation to ensure that the revenue obtained by the flashloan attack is far lower than the cost
• Other mechanics to prevent cross block attacks like Harvest had met, to enhance the ability to resist price attacks

Follow up arrangements will be kept informed.

During this challenging period, we have received a lot of support and help from the community, the police, the central exchange, security companies and SlowMist’s team, and we are very grateful. We would appreciate any useful clues.

Thank you,

Cheese Bank Team