Analysis of the Flash Loan Attack Incident on Cellframe Network

On June 1, 2023, at 10:07:55 (UTC+8), Cellframe Network was hacked on a certain smart chain due to a token quantity calculation issue during the liquidity migration process. This attack resulted in the hacker profiting approximately $76,112.

Root Cause of the Attack

The calculation issues during the liquidity migration process are the main reason for this attack.

Detailed Explanation of the Attack Process

1. The attacker first obtains 1,000 native tokens of a certain chain and 500,000 New Cell tokens through Flash Loans. Then, they exchange all New Cell tokens for native tokens, causing the amount of native tokens in the liquidity pool to approach zero. Finally, the attacker exchanges 900 native tokens for Old Cell tokens.

2. It is worth noting that the attacker added liquidity for Old Cell and native tokens in advance before launching the attack, obtaining Old lp tokens.

3. Next, the attacker invoked the liquidity migration function. At this point, there were almost no native tokens in the new pool, and almost no Old Cell tokens in the old pool. The migration process includes the following steps:

   • Remove old liquidity and return the corresponding amount of tokens to the user
   • Add new liquidity according to the new pool's ratio

   Due to the almost non-existent Old Cell tokens in the old pool, the number of native tokens obtained when removing liquidity increases, while the number of Old Cell tokens decreases. This leads to users only needing to add a small amount of native tokens and New Cell tokens to acquire liquidity, while the excess native tokens and Old Cell tokens are returned to the users.

4. Finally, the attacker removes the liquidity from the new pool and exchanges the Old Cell tokens returned from the migration for native tokens. At this point, there are a large number of Old Cell tokens in the old pool but almost no native tokens, so the attacker exchanges the Old Cell tokens back into native tokens, thus completing the profit. Subsequently, the attacker repeats the migration operation.

Security Recommendations

1. When migrating liquidity, it is important to comprehensively consider the changes in the quantities of the two tokens in the old and new pools as well as the current token prices. Relying solely on the quantities of the two tokens in the trading pair for calculations can be easily manipulated.

2. Before deploying the code, it is essential to conduct a comprehensive and thorough security audit to identify and fix potential vulnerabilities.

This incident once again highlights the importance of security and code quality in the decentralized finance (DeFi) space. Project teams need to remain vigilant, improve security measures, and protect user assets while maintaining the healthy development of the ecosystem.