According to the SlowMist security team intelligence, on June 1, 2023, Cellframe was attacked by a flash loan, and the Cellframe ERC20 v2 price fell by 41.2%. The SlowMist security team intervened in analysis for the first time and shared the results as follows:
Related Information
Attacker address:
0x2525c811EcF22Fc5fcdE03c67112D34E97DA6079
- IDO & IEO: Inventory of 7 Hot Projects About to be Launched
- Overview of the performance of 14 L1 public chains in the first quarter of 2023:
- Is it worth looking forward to the Apple Meta Quest 3? Meta’s first consumer-grade MR headset.
Attacker contract address:
0x1e2a251b29e84e1d6d762c78a9db5113f5ce7c48
Attack transaction:
0x943c2a5f89bc0c17f3fe1520ec6215ed8c6b897ce7f22f1b207fea3f79ae09a6
Attacker added LP (OLD) transaction:
0xe2d496ccc3c5fd65a55048391662b8d40ddb5952dc26c715c702ba3929158cb9
Preliminary Information
Multiple new and old contracts appeared in this attack, and we will use the parameter names of the new and old contracts in the LpMigration contract as the contract names in this attack analysis.
address OLD_CELL: 0xf3E1449DDB6b218dA2C9463D4594CEccC8934346
address LP_OLD: 0x06155034f71811fe0D6568eA8bdF6EC12d04Bed2
address CELL: 0xd98438889Ae7364c7E2A3540547Fad042FB24642
address LP_NEW: 0x1c15f4E3fd885a34660829aE692918b4b9C1803d
Specific Details Analysis
1. Borrowed 1000 BNB through DODO’s DPPOracle flash loan.
2. Borrowed 500,000 CELL through BlockingncakeSwap V3 flash loan.
3. In the LP_NEW pool of BlockingncakeSwap V2, the attacker swapped all the 500,000 CELL tokens obtained from the flash loan for 50 BNB. At this time, there were only 8 BNB left in the LP_NEW pool, and CELL had 550,000.
4. Immediately afterwards, the attacker swapped 900 BNB for OLD_CELL in another BlockingncakeSwap V2 pool, LP_OLD pool. At this time, the BNB quantity in LP_OLD was 902, and OLD_CELL had only 7.
5. After the attacker exchanged BNB for OLD_CELL, we found that the attacker directly called the migrate function of the LpMigration contract for LP migration. Strangely, in our previous analysis, the attacker did not obtain LP Tokens, so where did these LP Tokens come from?
6. Returning to the attack contract, it can be found through the transaction before the attack that the attacker added liquidity to the LP_OLD pool in the transaction, obtaining LP(OLD) Tokens.
7. The attacker repeatedly performed migrate operations on the LP(OLD) in the LP_OLD pool, with the following details:
First, the migrateLP function is called to remove the liquidity of LP(OLD) and return the tokens to the user. Since there are many BNB tokens in the LP_OLD pool, when removing liquidity, the calculated amount of BNB obtained will increase and OLD_CELL will decrease. Then, getReserves is called to obtain the number of BNB and CELL in the LP_NEW pool. Due to the previous swap operation, the number of BNB in the LP_NEW pool is small, and the number of CELL is large, so the calculated resoult value will be biased towards a larger value, making the newly calculated token1 value of CELL also biased towards a larger value.
8. However, there are CELL tokens in the LpMigration contract. Therefore, the token1 token CELL used by the attacker to add liquidity comes from the LpMigration contract. Then, the calculated result is added to the ROUTER_V2 pool. (PS: This is also why after the attack, Cellframe: Deployer will withdraw all CELL tokens from the contract through the withdrawCELL() function.)
9. In other words, the attacker used the fact that there were more BNB and fewer OLD_CELL in the LP_OLD pool to obtain more BNB by removing liquidity. In the case of fewer BNB and more CELL in the LP_NEW pool, a small amount of BNB and CELL can be used to add liquidity. The attacker made a profit by performing multiple migrate operations.
10. Finally, the attacker removed the liquidity of LP_NEW, exchanged OLD_CELL for BNB in the LP_OLD pool, and exchanged it for BUSD before exchanging it for BNB in a new CELL-BUSD pool to repay the FlashLoan, making a profit of 245.522826177178247245 BNB.
Summary
The core of this attack lies in the use of liquidity migration calculation. The attacker manipulates the liquidity in two different pools to make them unbalanced and then make profits through arbitrage.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
