On June 1, 2023 Cellframe experienced a flash loan attack, resulting in a 41.2% decline in the price of Cellframe ERC20 v2. We promptly carried out an investigation and uncovered the following information:
Relevant Information:
Attacker’s address:
0x2525c811EcF22Fc5fcdE03c67112D34E97DA6079
Attacker’s contract address:
0x1e2a251b29e84e1d6d762c78a9db5113f5ce7c48
Attack transaction: 0x943c2a5f89bc0c17f3fe1520ec6215ed8c6b897ce7f22f1b207fea3f79ae09a6
Attacker’s LP(OLD) addition transaction: 0xe2d496ccc3c5fd65a55048391662b8d40ddb5952dc26c715c702ba3929158cb9
Preliminary Information:
In this attack, various new and old contracts were implicated. To facilitate the analysis of this incident, we will designate the parameter names of the new and old contracts within the LpMigration contract as their respective contract names.
address OLD_CELL: 0xf3E1449DDB6b218dA2C9463D4594CEccC8934346
address LP_OLD: 0x06155034f71811fe0D6568eA8bdF6EC12d04Bed2
address CELL: 0xd98438889Ae7364c7E2A3540547Fad042FB24642
address LP_NEW: 0x1c15f4E3fd885a34660829aE692918b4b9C1803d
Detailed Analysis:
1. The attacker executed a flash loan of 1000 BNB using DODO’s DPPOracle.
2. The attacker performed a flash loan of 500,000 CELL tokens through PancakeSwap V3.
3. In the PancakeSwap V2 LP_NEW pool, the attacker converted the entire 500,000 CELL tokens acquired through the flash loan into 50 BNB. As a result, the BNB balance in the LP_NEW pool decreased to 8, while the CELL token balance remained at 550,000.
4. Following that, the attacker exchanged 900 BNB for OLD_CELL tokens in LP_OLD, a separate PancakeSwap V2 pool. During this phase, the LP_OLD pool had a balance of 902 BNB and only 7 OLD_CELL tokens.
5. After converting BNB to OLD_CELL, it was noted that the attacker directly called the migrate function of the LpMigration contract to trigger LP migration. Curiously, in our earlier analysis, the attacker did not undertake any steps to acquire LP tokens. Hence, the source of these LP tokens raises a question.
6. Upon revisiting the attack contract, examination of the preceding transaction unveiled that the attacker injected liquidity into the LP_OLD pool during the process, consequently obtaining LP(OLD) tokens.
7. The attacker executed a sequence of successive migrate operations on the LP(OLD) within the LP_OLD pool, with the following details:
Initially, the attacker called the migrateLP function to withdraw liquidity from the LP(OLD) and return the tokens to the respective users. As the LP_OLD pool contained a significant amount of BNB tokens, removing liquidity resulted in an increased calculated BNB amount while reducing the quantity of OLD_CELL tokens. Subsequently, within the LP_NEW pool, the getReserves function was employed to obtain the quantities of BNB and CELL tokens. Due to previous swap operations, the LP_NEW pool had fewer BNB tokens and a higher number of CELL tokens. This discrepancy caused the resulting value of “result” to be inflated, leading to an overestimated token1 value for the newly calculated CELL tokens.
8. It is of utmost importance to emphasize that the LpMigration contract already held CELL tokens. Consequently, the token1 token (CELL) employed by the attacker to provide liquidity originated from within the LpMigration contract itself. Subsequently, the calculated results were added as liquidity to the ROUTER_V2 pool. (PS: This also explains why, following the attack, Cellframe: Deployer would utilize the withdrawCELL() function to recover all the CELL tokens from the contract.)
9. In essence, the attacker took advantage of the abundance of BNB and scarcity of OLD_CELL tokens in the LP_OLD pool to optimize their BNB gains through liquidity removal. Conversely, in the LP_NEW pool, where BNB was scarce and CELL tokens were abundant, the attacker could provide liquidity using a small amount of both BNB and CELL tokens. By conducting multiple migrate operations, the attacker successfully generated profits from these favorable conditions.
10. In the end, the attacker withdrew liquidity from the LP_NEW pool and converted the OLD_CELL tokens from the LP_OLD pool into BNB. Subsequently, the attacker utilized a newly created CELL-BUSD pool to convert the tokens into BUSD, which were then exchanged for BNB to repay the FlashLoan. This series of actions resulted in the attacker earning a profit of 245.522826177178247245 BNB.
Summary
The essence of this attack revolves around exploiting liquidity migration calculations. The attacker skillfully manipulated the liquidity in two distinct pools, causing an intentional imbalance, and effectively engaged in arbitrage activities.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.
Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/
