CHEESE Swap Token Attack Post-mortem, March 15, 2022.

Dear Hamster Ecosystem community,

First of all, we would like to thank everyone for their unwavering support while we investigated the attack that happened on Tuesday, February 28th, at 08:34 UTC. An attacker exploited the CHEESE Swap Token’s MasterChef and SmartChef of Hamster Stake deployer contracts to steal over 3 billion CHEESE tokens and over 266 trillion HAMSTER tokens.

The attacker used a compromised private key to the original contract deployer to leverage the transfer function of the smart contract for CHEESE tokens and contract deployer to leverage the emergencyWithdraw function of the smart contract of SmartChef for Hamster.

With the transfers of CHEESE and HAMSTER tokens from MasterChef and SmartChef smart contracts, the attacker then 3,246,522,829.29 CHEESE tokens 266,103,482,681,650 HAMSTER tokens which they then proceeded to sell on PancakeSwap for a total of 1,790.93 BNB. We then asked all CHEESE and HAMSTER token holders to cease all transactions in order to mitigate further risk. We called in industry experts (Crystal Blockchain, CertiK, AML Office, Binance, Hackerone) to further safeguard users and specify next steps.

To prevent any further damage by the attacker, CHEESE Swap Token is relaunching its token to wipe the attacker from the ledger of token holders, moving control of the new token contract to a multisig and timeblocker and securing comprehensive security and process audits to ensure we are never again vulnerable to this kind of attack or others.

Timeline of Events on February 28, 2022

08.34 UTC — Attacker loads CHEESE Swap Token and SmartChef deployer with funds.

08:56 UTC — Hamster team notices unusual transactions as attacker sells large amounts of CHEESE and HAMSTER on PancakeSwap.

09:45 UTC — Hamster team initiates war room to understand the attack.

10:52 UTC — Hamster Team starts calling in support partners (Crystal Blockchain, CertiK, AML Office, Binance, Hackerone etc).

12:30 UTC — Hamster team announces hack to community and warns users to not transact.

Technical Analysis of the Attack

The root cause of the attack was a combination of two vulnerabilities: a leaked private key and a failure in key management processes. Our code was not compromised, and we maintain faith in our CertiK audit.

The first failure was a private key leak. We have identified the cause of the private key leak, and have mitigated it. Because we have not fully resolved the situation with the responsible party we are not disclosing details on how the private key was leaked at this time. As far as we can tell, it was not a malicious leak, and we have no reason to think that it was.

The second failure was a key management failure. The compromised private key provided access to the MasterChef of Cheese Swap token contract and SmartChef Contract, and was used to modify the token contract to allow the attacker to maliciously transfer of Cheese and Hamster tokens. The attacker proceeded to sell the transferred Cheese and Hamster tokens on PancakeSwap for BNB.

Ownership of the contract was not fully transferred, while we had reason to believe the transfer was total and complete to the fullest extent. We were mistaken, and assume full responsibility for our lack of thorough verification.

As a result, the attacker proceeded to use the compromised private key to do the following:

Attacker transferred CHEESE tokens from below TXs:

0x619870d51ed27471479005f1228edb9a8252a501eee2dc92e5e653f341c6112f

0xb289038d1a82561205d77b9a4fcb9d9dd93afbd7bd07815e3824bab28a6bb00c

0xc232a314f15a506d2cef704bf18733c9c17267173b87596b70955a178ae604ba

0x4365ad7a01307a31cc86a7f5103d9cb0acc8e9c179482218daa0e12fa5b02069

0xf455453dbe3ae09505977f5e157d00398da092ed4f629a72ae39b69bb893ed5b

0xce8c25b84367d0a71d3cf1f5adf2f139017e0e3125fbc456834fd8976bd67cb0

Attacker transferred HAMSTER tokens from below TXs:

0x8438cf7ecb4f60d2697440de8d300e2fab4381057ebf13d0bb42f399d8387e4f

0x631c7b14b55bc57a6af0f63c7157379238ff64b470674dd0a2bcd087f5c55d1d

0xfcbfefb2505e637df92653fa2def05ecf879d41c59cb443c6482a73676dc8fb0

0xbcb859936bdf3c7046ba6ae5eb20f67db922e0fddfa7c748f586fceddd542682

0xc3a889574f8c1b3f6230e3bd26a5047fc127b2becf6145ffe3a7134f5bd32f78

0x464ff77adbf6ae144ebec3b518c5dd924a4c72bbc7aa1dba66ff3ee2d682b7e6

0x73daf09685aa36827efce88c4d761522eb9ba6dfe06e3a5a63d01e5547d3ef95

0xa371fbfb46c462e95c3c8c6c1d5da368686b2f4d36b89bfbd1c0df35435bf348

0xa371fbfb46c462e95c3c8c6c1d5da368686b2f4d36b89bfbd1c0df35435bf348

0x13ec02d2cc39fda296cc317ea51cc4694e76e19c8c1ef5bd3bd7b745ac44a01a

0x0cea6e664d46ce95e11206c5196365c3dda8f736bab8fa72f3360394bc7c4efe

0x0104838b18ce64a9412997007bb483b26e8f0f87b224d19f71a28838fef7d9a0

Attacker approves trading on Pancake for his address. TXs:

0x6c94aaa32850542380fbd9ce89099addacf1f15bec29cf0b60092a243c3fb71e

0xde126df06404cfd1bb07738a4b42a8c29fde13767cc976c8d5c0b974e6db3fb5

0x52eae33b67fc6386c702030b80efefbff456682f2b00a904e1dc1e8e007a619b

0xf455453dbe3ae09505977f5e157d00398da092ed4f629a72ae39b69bb893ed5b

0x0929dfd367256347d9556daf9d199894fa9458bad8cca798ba3a9255c79e0515

0x0598937fa1c2c5c67f25d6d88f81842a646b3f875620502bcf1795e5bf825824

0x8d207138a6ad3b47c3b1cd8caeb9d835a8a757a0e3332f2d8c2f3184d2336c5d

Attacker transfers tracking after trading on Pancake:

0x0b5800832a988967a61a39214411bf44a7e360b1b9d0ee7475fa648204b64e52

0x48e8924837b133ca6dcf4dadf9301b8dcbdd285d4ea1d24c6e02727e8fc2741d

0x5694448a4c7228045d4a7572ef7475a94d379fafe30e6261578629e63e3ea8f8

0x7d01da84a7380b271cbfbe7966fdb000ff14f109c35429c360f1396b1b24efdb

0x0820394271547c5a27a4958c6902d078119e2255701ee813dfc5f66d86a4dd2b

0x03ead11592cec2c02207e8961f9aa987bd89d3e64ef7a029bf633ee1709566d0

What’s next for HAMSTER Ecosystem

We were fortunate enough that the rapid action by the team minimized the damage. Ultimately, this hack was the result of several security failures. We at Hamster Ecosystem take full responsibility for these failures, and have resolved the security vulnerabilities to make sure these failures can never happen again. To affect that, we are:

We at Hamster Ecosystem take full responsibility and all stolen Hamster tokens airdropped to holders already.

Relaunching the token contract to wipe out the attacker tokens. We will be relaunching the $CHEESE token contract to invalidate the attackers’ tokens. The attacker’s $CHEESE will be removed from token supply. v2 $CHEESE tokens will be airdropped to holders of the v1 token, the details of which are being carefully considered to ensure the fairest outcome.

Moving contract control to a multisig. All future contracts will be controlled by a multisig, controlled by members of the Hamster Ecosystem team. Never again will Hamster Ecosystem be vulnerable to the compromise of a single private key, and all contract changes will have to be cleared by the multisig key holders.

Comprehensive security and process audits. Going forward we will commission security process audits and seek out expertise on information technology security best practices. All private keys will be heavily secured if in use, or destroyed if not.

The team is working to resolve the situation in the most fair and effective way. Through this process, we’ve enhanced security processes and will continue to power through as we always have for our community.

We would like to reiterate that our team is fully dedicated to the long-term success of this project. We continue to have full faith and integrity in the future of our project.

We firmly stand by our project. We will continue our full commitment to push forward our shared vision of Hamster Ecosystem as a disruptive and transformational force in the blockchain industry, and the world at large. We humbly ask you, the community, to maintain faith in our ability to realize our vision as we overcome this challenge. With our renewed emphasis on security and best practices, we are confident we will succeed.

Last but not the least, please know we will continue to update our community with new information and developments as the situation develops.

Sincerely,

Hamster Team

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store