Cheese Bank Detailed Statement

What happened

On November 6 (GMT), hackers used the dydx flashloan to launch an attack on Cheese Bank, resulting in a loss of more than $3.3 million.The hacker transferred 1 ETH on the anonymous platform for the initial handling fee. By calling dydx’s flashloan contract, the hacker borrowed 21000 ETH, and used 50 ETH to purchase 107232 Cheese in Uniswap. 107232 Cheese and 78.8 ETH were added into the Uniswap liquidity pool to obtain Cheese-ETH UNI LP tokens, and all of them were deposited into Cheese Bank. After this operation, hackers continued to use 20000 ETH to attack the Cheese token price in Uniswap, resulting in the instantaneous increase of the value of Cheese-ETH UNI LP tokens by 300 times, and the stable currencies such as USDT/ USDC / Dai of Cheese Bank are all borrowed up. 58812 USDC in the stolen funds were converted into 132 ETH to pay the fees during the attack. After that, all the stolen assets were converted to BTC through multiple DeFi platforms, renBTC and other institutions. The subsequent complex and intensive transfer operations are continued.

Actions taken by Cheese Bank team

  1. The deposit function is temporarily paused
  2. Main exchanges informed of this attack
  3. Working with security experts, block-chain analysis providers
  4. Dev and security processes are being reviewed
  5. Filed investigations in related countries
  6. Fixed the relevant bugs involved in the incident:
  • After preliminary calculation, the price fluctuation threshold is set. If the price fluctuation exceeds a certain threshold in a short period of time, it will not be adopted, so as to minimize the income obtained by attackers. In the future, the threshold will be further optimized so that the attacker can not gain profits through the price attack (view more on the part of next possible step)
  • Set the price refresh authority. Under special circumstances, the team can refresh the price through the administrator’s authority, so that the price can return to the market level (this is a temporary treatment measure, and will be removed after launching further improvements)

Address related to the attack

Attacker’s wallet: 0x882d72aaae187f54e85c7a0cb19dfec5316cd9aa

Next possible steps

  1. Review the code and security procedures, and will publish a post-mortem with our analysis
  2. Continue to Keep cooperating with the tracking of stolen asset, and disclose information to the community while the case doesn’t in confidential procedures
  3. Further Improvement of LP price refresh mechanism:
  • Numerical simulation will be used to refine the threshold of price fluctuation to ensure that the revenue obtained by the flashloan attack is far lower than the cost
  • Other mechanics to prevent cross block attacks like Harvest had met, to enhance the ability to resist price attacks

Cheese for everyone!A autonomous digital bank based on a decentralized protocol on Ethereum. Innovative defi-lending service will be launched as the first step.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store