Slowmist: Analysis of the Cellframe Hack

According to the SlowMist security team intelligence, on June 1, 2023, Cellframe was attacked by a flash loan, and the Cellframe ERC20 v2 price fell by 41.2%. The SlowMist security team intervened in analysis for the first time and shared the results as follows:

Related Information

Attacker address:


Attacker contract address:


Attack transaction:


Attacker added LP (OLD) transaction:


Preliminary Information

Multiple new and old contracts appeared in this attack, and we will use the parameter names of the new and old contracts in the LpMigration contract as the contract names in this attack analysis.

address OLD_CELL: 0xf3E1449DDB6b218dA2C9463D4594CEccC8934346

address LP_OLD: 0x06155034f71811fe0D6568eA8bdF6EC12d04Bed2

address CELL: 0xd98438889Ae7364c7E2A3540547Fad042FB24642

address LP_NEW: 0x1c15f4E3fd885a34660829aE692918b4b9C1803d

Specific Details Analysis

1. Borrowed 1000 BNB through DODO’s DPPOracle flash loan.

2. Borrowed 500,000 CELL through BlockingncakeSwap V3 flash loan.

3. In the LP_NEW pool of BlockingncakeSwap V2, the attacker swapped all the 500,000 CELL tokens obtained from the flash loan for 50 BNB. At this time, there were only 8 BNB left in the LP_NEW pool, and CELL had 550,000.

4. Immediately afterwards, the attacker swapped 900 BNB for OLD_CELL in another BlockingncakeSwap V2 pool, LP_OLD pool. At this time, the BNB quantity in LP_OLD was 902, and OLD_CELL had only 7.

5. After the attacker exchanged BNB for OLD_CELL, we found that the attacker directly called the migrate function of the LpMigration contract for LP migration. Strangely, in our previous analysis, the attacker did not obtain LP Tokens, so where did these LP Tokens come from?

6. Returning to the attack contract, it can be found through the transaction before the attack that the attacker added liquidity to the LP_OLD pool in the transaction, obtaining LP(OLD) Tokens.

7. The attacker repeatedly performed migrate operations on the LP(OLD) in the LP_OLD pool, with the following details:

First, the migrateLP function is called to remove the liquidity of LP(OLD) and return the tokens to the user. Since there are many BNB tokens in the LP_OLD pool, when removing liquidity, the calculated amount of BNB obtained will increase and OLD_CELL will decrease. Then, getReserves is called to obtain the number of BNB and CELL in the LP_NEW pool. Due to the previous swap operation, the number of BNB in the LP_NEW pool is small, and the number of CELL is large, so the calculated resoult value will be biased towards a larger value, making the newly calculated token1 value of CELL also biased towards a larger value.

8. However, there are CELL tokens in the LpMigration contract. Therefore, the token1 token CELL used by the attacker to add liquidity comes from the LpMigration contract. Then, the calculated result is added to the ROUTER_V2 pool. (PS: This is also why after the attack, Cellframe: Deployer will withdraw all CELL tokens from the contract through the withdrawCELL() function.)

9. In other words, the attacker used the fact that there were more BNB and fewer OLD_CELL in the LP_OLD pool to obtain more BNB by removing liquidity. In the case of fewer BNB and more CELL in the LP_NEW pool, a small amount of BNB and CELL can be used to add liquidity. The attacker made a profit by performing multiple migrate operations.

10. Finally, the attacker removed the liquidity of LP_NEW, exchanged OLD_CELL for BNB in the LP_OLD pool, and exchanged it for BUSD before exchanging it for BNB in a new CELL-BUSD pool to repay the FlashLoan, making a profit of 245.522826177178247245 BNB.


The core of this attack lies in the use of liquidity migration calculation. The attacker manipulates the liquidity in two different pools to make them unbalanced and then make profits through arbitrage.

Like what you're reading? Subscribe to our top stories.

We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!

Follow us on Twitter, Facebook, YouTube, and TikTok.


Was this article helpful?

93 out of 132 found this helpful

Gambling Chain Logo
Digital Asset Investment
Real world, Metaverse and Network.
Build Daos that bring Decentralized finance to more and more persons Who love Web3.
Website and other Media Daos

Products used

GC Wallet

Send targeted currencies to the right people at the right time.