Another DeFi Protocol Hacked: Lost $ 3.3 Million


Although signs of recovery began to emerge after the sharp decline in the DeFi sector in September, the bad news started to come up again. After the Value DeFi attack that broke out recently on November 16, bad news came from Cheese Bank. As a result of the attack on Cheese Bank via flash loan, it was announced that a loss of $ 3.3 million was made.

DeFi protocol Cheese Bank was hacked.

Cheese Bank is known as a decentralized and autonomous digital banking protocol. In the official statement made today on both Twitter and Medium, the attack was confirmed. Cheese Bank officials stated that the software error in the protocol that opened the door to the attack was fixed, but some functions were temporarily disabled. It has been announced that the deactivation in question is to reduce the risks of such situations in the future.

In the post published by PeckShield, it is stated that the attack took place on November 6, 2020. On this date, it is stated that the attacker managed to steal USDC / USDT and DAI stablecoins worth $ 3.3 million.

So how did the attacker do this?

It is seen that the attacker first took a flash loan of 21,000 ETH from the dYdX protocol. The attacker then exchanges his 50 ETH with 107,000 CHEESEs, ie Cheese Bank’s protocol tokens, over the UniswapV2 platform.

As a next step, 107,000 CHEESE and 78 ETH are locked in liquidity via UniswapV2 and in return UNI_V2 LP tokens are reached. The attacker, who produces the sUSD_V2 token with all the LP tokens obtained, is actually using the software vulnerability right here. The attacker uses these LP tokens to get cryptocurrency loans through Cheese Bank.

The attacker then traded 20,000 ETH for 288,000 CHEESE, increasing the CHEESE price on UniswapV2 incredibly. This price increase increases the value of UNI_V2 LP tokens given to Cheese Bank in return for loans to a much higher level. Cheese Bank is using the amount of WETH in a liquidity pool to adjust the value of the respective LP tokens, and the attacker is pointing exactly at this weak spot. The UNI_V2-CHEESE-ETH pool manipulated on UniswapV2 allows the attacker to wave all USDC, USDT and DAIs on Cheese Bank.

$ 3.3 million gain

After the attacker finishes the whole transaction, he exchanges 288,000 CHEESE tokens for 19.98 ETH on UniswapV2. At the end of these transactions, the attacker earns $ 3.3 million and finally has a debt of 21,000 ETH to pay to the dYdX protocol. Later, the attacker, who transferred 21,000 ETH to dYdX, earns a serious profit thanks to the flash loan.

Image for post

Harvest Finance had previously suffered a similar attack and suffered a serious loss. The attack on the attack and the fact that DeFi protocols do not learn from this can change the perspective of investors on the industry. The biggest 11 DeFi attacks this year clearly show why investors are afraid to enter the industry.

Cheese Bank team, on the other hand, emphasized that they found important clues on the subject and that a detailed explanation will be made soon.


Please enter your comment!
Please enter your name here