DeFi project Cheese Bank loses $3.3 million in hack

PeckShield researchers published details of the Cheese Bank DeFi project hack on November 6, in which attackers siphoned off $3.3 million in stablecoins USDC, USDT and DAI.

See more

Cheese Bank Incident: Root Cause Analysis https://t.co/pe2ccTqTgJ

— PeckShield Inc. (@peckshield) November 16, 2020

The vulnerability lay in the collateral-valuation mechanisms used by the price oracle of an automated market maker.

“During a series of attacks, we observed that attackers used flash loans to obtain, exchange, deposit, and repeatedly obtain large sums with the aim of manipulating the price of a single token on one exchange,” PeckShield wrote.

In November this year, DeFi projects Akropolis and Value DeFi faced similar attacks.

The attackers’ sequence of steps was as follows:

1. The attackers obtained a flash loan of 21,000 ETH via the dYdX platform;
2. Exchanged 50 ETH for 107,000 CHEESE tokens on UniswapV2;
3. Added 107,000 CHEESE and the required 78 ETH to the UniswapV2 liquidity pool, in exchange for UNI_V2 LP tokens;
4. Issued sUSD_V2 tokens on all UNI_V2 LP tokens obtained in the previous step. This step allowed using UNI_V2 LP tokens as collateral for borrowing funds from Cheese Bank;
5. Increased the price of Cheese Bank’s native token on UniswapV2, exchanging 20,000 ETH for 288,000 CHEESE. This raised the collateral value in the form of UNI_V2 LP tokens. PeckShield notes that this is a key moment, since the protocol uses the amount of WETH in the liquidity pool to value the corresponding LP token;
6. Updated Cheese Bank’s oracle price feed;
7. Withdrew all Cheese Bank assets into USDC, USDT and DAI via the borrow function. Before this, the hackers “prudently” determined the protocol’s balance.
8. Swapped 288,000 CHEESE for 19,980 ETH on UniswapV2. The hackers needed to return the 21,000 ETH flash loan to dYdX, which they did using 288,000 CHEESE;
9. Exchanged 58,000 USDC for 132 ETH on UniswapV2 to replenish ETH reserves spent earlier on UniswapV2 fees.
10. Transferred $3.3 million into USDC, USDT and DAI to a separate address (as of writing its balance stood at $453.75).
11. Returned the 21,000 ETH flash loan to dYdX.

“Because automated market maker price oracles have frequently been targeted in recent attacks, we advise particular caution when treating them as oracle prices, as they can be easily manipulated,” the experts conclude.

Back in October, the hacker withdrew $19.8 million from Harvest Finance via manipulation of stablecoin prices in the DeFi protocol Curve.

Follow ForkLog news on Facebook!