$3 300 000 USD
DESCRIPTION OF EVENTS
"Cheese Bank is a decentralized autonomous digital bank on Ethereum that allows investors to manage asset, including lending, fund management, insurance services etc." "Cheese Bank wants investors to have the option to manage their assets their way."
"An Ethereum-based decentralized finance platform known as Cheese Bank recently suffered a $3.3 million loss — the product of a hack in early November. The thieves utilized a somewhat newly found weakness in the DeFi sector that harnesses flashloans. The Cheese Bank thieves stole the cheddar via dollar-pegged stablecoins USD Coin (USDC), Tether (USDT) and Dai. A number of other platforms have also suffered similar fates in recent days."
"Attacker takes a flash loan from dYdX for 21k ETH. He/she swaps ETH for CHEESE at Uniswap. Attacker transfers both tokens into Uniswap for LP tokens. The hacker mints sUSD tokens with the LP tokens from Step #3. By swapping ETH for CHEESE, the hacker raises the price of CHEESE." The last step is "crucial to the hack’s success because it increased the LP token’s collateral value in Cheese Bank. By manipulating the CHEESE-ETH pool, the hacker could drain the DAI, USDC, and USDT with legit borrow( ) calls. So, with a series of borrow calls at Cheese Bank and swaps at Uniswap, the hacker finished off the job by repaying the flash loan to dYdX and pocketing the rest."
"This particular hack drains $3.3 million of USDC/USDT/DAI from Cheese Bank by exploiting a bug in its way to measure asset price from an AMM-based oracle." "As a result, with a flashloan-based manipulation of collateral price on Uniswap, the exploitation manages to make a series of malicious borrow operations, leading to $3.3 million of USDC/USDT/DAI loss (of Cheese Bank)."
"At the same time, Cheese Bank's developers assure the bug that made the attack possible has already been fixed, however, some features of the platform are still not available due to the associated risks."
Flash loans are a new feature of decentralized finance which allow attackers to exploit the market conditions in various ways, typically by manipulating the prices of assets at particular oracles.
Smart contracts will typically blindly follow their instructions. In this case, as with others, that's highly lucrative for the attacker, at the expense of anyone else using the platform.
HOW COULD THIS HAVE BEEN PREVENTED?
In general, it's not possible to know if a decentralized smart contract is fully secure against all future threats. The space continues to evolve over time.
For customer assets to remain secure in general, they should be stored offline in a multi-signature wallet held such that at least 3 of 4 different trained operators need to approve the withdrawal.
Cheese Bank’s multi-million-dollar hack explained by security firm (May 12)
Cheese Bank Incident Root Cause Analysis (May 16)
DeFi Deep Dive - Top DeFi Hacks Of 2020 (May 16)
DeFi Project Cheese Bank Loses $3.3M After Hacker Attack | News | ihodl.com (May 16)
Biggest DeFi Hacks in 2020 - List of DeFi Hacks (May 16)
Cheese Bank Detailed Statement (May 16)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20)
SlowMist Hacked - SlowMist Zone (May 18)
Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23)