CHEESE Swap Token Attack Post-mortem, March 15, 2022.
Dear Hamster Ecosystem community,
First of all, we would like to thank everyone for their unwavering support while we investigated the attack that happened on Tuesday, February 28th, at 08:34 UTC. An attacker exploited the CHEESE Swap Token’s MasterChef and SmartChef of Hamster Stake deployer contracts to steal over 3 billion CHEESE tokens and over 266 trillion HAMSTER tokens.
The attacker used a compromised private key to the original contract deployer to leverage the transfer function of the smart contract for CHEESE tokens and contract deployer to leverage the emergencyWithdraw function of the smart contract of SmartChef for Hamster.
With the transfers of CHEESE and HAMSTER tokens from MasterChef and SmartChef smart contracts, the attacker then 3,246,522,829.29 CHEESE tokens 266,103,482,681,650 HAMSTER tokens which they then proceeded to sell on PancakeSwap for a total of 1,790.93 BNB. We then asked all CHEESE and HAMSTER token holders to cease all transactions in order to mitigate further risk. We called in industry experts (Crystal Blockchain, CertiK, AML Office, Binance, Hackerone) to further safeguard users and specify next steps.
To prevent any further damage by the attacker, CHEESE Swap Token is relaunching its token to wipe the attacker from the ledger of token holders, moving control of the new token contract to a multisig and timeblocker and securing comprehensive security and process audits to ensure we are never again vulnerable to this kind of attack or others.
Timeline of Events on February 28, 2022
08.34 UTC — Attacker loads CHEESE Swap Token and SmartChef deployer with funds.
08:56 UTC — Hamster team notices unusual transactions as attacker sells large amounts of CHEESE and HAMSTER on PancakeSwap.
09:45 UTC — Hamster team initiates war room to understand the attack.
10:52 UTC — Hamster Team starts calling in support partners (Crystal Blockchain, CertiK, AML Office, Binance, Hackerone etc).
12:30 UTC — Hamster team announces hack to community and warns users to not transact.
Technical Analysis of the Attack
The root cause of the attack was a combination of two vulnerabilities: a leaked private key and a failure in key management processes. Our code was not compromised, and we maintain faith in our CertiK audit.
The first failure was a private key leak. We have identified the cause of the private key leak, and have mitigated it. Because we have not fully resolved the situation with the responsible party we are not disclosing details on how the private key was leaked at this time. As far as we can tell, it was not a malicious leak, and we have no reason to think that it was.
The second failure was a key management failure. The compromised private key provided access to the MasterChef of Cheese Swap token contract and SmartChef Contract, and was used to modify the token contract to allow the attacker to maliciously transfer of Cheese and Hamster tokens. The attacker proceeded to sell the transferred Cheese and Hamster tokens on PancakeSwap for BNB.
Ownership of the contract was not fully transferred, while we had reason to believe the transfer was total and complete to the fullest extent. We were mistaken, and assume full responsibility for our lack of thorough verification.
As a result, the attacker proceeded to use the compromised private key to do the following:
Attacker transferred CHEESE tokens from below TXs:
Attacker transferred HAMSTER tokens from below TXs:
Attacker approves trading on Pancake for his address. TXs:
Attacker transfers tracking after trading on Pancake:
What’s next for HAMSTER Ecosystem
We were fortunate enough that the rapid action by the team minimized the damage. Ultimately, this hack was the result of several security failures. We at Hamster Ecosystem take full responsibility for these failures, and have resolved the security vulnerabilities to make sure these failures can never happen again. To affect that, we are:
We at Hamster Ecosystem take full responsibility and all stolen Hamster tokens airdropped to holders already.
Relaunching the token contract to wipe out the attacker tokens. We will be relaunching the $CHEESE token contract to invalidate the attackers’ tokens. The attacker’s $CHEESE will be removed from token supply. v2 $CHEESE tokens will be airdropped to holders of the v1 token, the details of which are being carefully considered to ensure the fairest outcome.
Moving contract control to a multisig. All future contracts will be controlled by a multisig, controlled by members of the Hamster Ecosystem team. Never again will Hamster Ecosystem be vulnerable to the compromise of a single private key, and all contract changes will have to be cleared by the multisig key holders.
Comprehensive security and process audits. Going forward we will commission security process audits and seek out expertise on information technology security best practices. All private keys will be heavily secured if in use, or destroyed if not.
The team is working to resolve the situation in the most fair and effective way. Through this process, we’ve enhanced security processes and will continue to power through as we always have for our community.
We would like to reiterate that our team is fully dedicated to the long-term success of this project. We continue to have full faith and integrity in the future of our project.
We firmly stand by our project. We will continue our full commitment to push forward our shared vision of Hamster Ecosystem as a disruptive and transformational force in the blockchain industry, and the world at large. We humbly ask you, the community, to maintain faith in our ability to realize our vision as we overcome this challenge. With our renewed emphasis on security and best practices, we are confident we will succeed.
Last but not the least, please know we will continue to update our community with new information and developments as the situation develops.