$3 300 000 USD





"Cheese Bank is a decentralized autonomous digital bank on Ethereum that allows investors to manage asset, including lending, fund management, insurance services etc." "Cheese Bank wants investors to have the option to manage their assets their way."


"An Ethereum-based decentralized finance platform known as Cheese Bank recently suffered a $3.3 million loss — the product of a hack in early November. The thieves utilized a somewhat newly found weakness in the DeFi sector that harnesses flashloans. The Cheese Bank thieves stole the cheddar via dollar-pegged stablecoins USD Coin (USDC), Tether (USDT) and Dai. A number of other platforms have also suffered similar fates in recent days."


"Attacker takes a flash loan from dYdX for 21k ETH. He/she swaps ETH for CHEESE at Uniswap. Attacker transfers both tokens into Uniswap for LP tokens. The hacker mints sUSD tokens with the LP tokens from Step #3. By swapping ETH for CHEESE, the hacker raises the price of CHEESE." The last step is "crucial to the hack’s success because it increased the LP token’s collateral value in Cheese Bank. By manipulating the CHEESE-ETH pool, the hacker could drain the DAI, USDC, and USDT with legit borrow( ) calls. So, with a series of borrow calls at Cheese Bank and swaps at Uniswap, the hacker finished off the job by repaying the flash loan to dYdX and pocketing the rest."


"This particular hack drains $3.3 million of USDC/USDT/DAI from Cheese Bank by exploiting a bug in its way to measure asset price from an AMM-based oracle." "As a result, with a flashloan-based manipulation of collateral price on Uniswap, the exploitation manages to make a series of malicious borrow operations, leading to $3.3 million of USDC/USDT/DAI loss (of Cheese Bank)."


"At the same time, Cheese Bank's developers assure the bug that made the attack possible has already been fixed, however, some features of the platform are still not available due to the associated risks."

Flash loans are a new feature of decentralized finance which allow attackers to exploit the market conditions in various ways, typically by manipulating the prices of assets at particular oracles.


Smart contracts will typically blindly follow their instructions. In this case, as with others, that's highly lucrative for the attacker, at the expense of anyone else using the platform.


In general, it's not possible to know if a decentralized smart contract is fully secure against all future threats. The space continues to evolve over time.


For customer assets to remain secure in general, they should be stored offline in a multi-signature wallet held such that at least 3 of 4 different trained operators need to approve the withdrawal.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.