Pancake Bunny flash loan attack, BUNNY loses 95% of value

Hi there students,

Following yesterday’s Venus protocol exploit, another massive attack happened on BSC, on PancakeBunny this time. This attack happened to be on the bloodiest day of the cryptoverse since 2017, which amplified the hit that BNB and other major BSC coins (like CAKE) took. BUNNY lost 95% of its face value ($150->$8), while BNB sits at $315. CAKE also took a bit hit and is at $15 right now. So what happened? What tools did the attacker use to plummet a whole market alone? Let’s have a look.

  1. What’s PancakeBunny?

PancakeBunny is on one the many yield aggregators and optimizers you can find on the DeFi landscape. They basically operate pools that invests into liquidity pools of other operators (like PancakeSwap), and give value by auto compounding the gains, while increasing the yield received by the user with its native token (BUNNY).

2. Flash loans

The attacker in this case used a flash loan to manipulate the price of the BNB/USDT and BNB/BUNNY pairs. So what’s a flash loan you might ask? A flash loan is a concept unique to DeFi: it allows you to borrow tons of money, for absolutely no collateral. Basically platforms like Cream, Venus or PancakeSwap allows users to borrow money, as long as they pay it back in the same transaction. The important part here is that the payback needs to happen in the same transaction.

What does this mean? It means that the user needs to write a single smart contract, with the following sequence:

  • Borrow money (BNB for example)

If at the end of the contract the user doesn’t have enough money to pay back the platform, then the smart contract is reversed like nothing happened. So the lender is not taking any risks (you can’t cheat the blockchain), while the borrower only risks gas fees.

3. The PancakeBunny attack

The transactions made by the attacker

So how did the attacker used the above concept to attack PancakeBunny?

Before the flash loan, it seems that the attacker had already some liquidity locked in the USDT/WBNB vault of PancakeBunny.

Here are the steps he took after that for the actual attack:

Flash loans taken by the attacker

Step 1: So it seems that they took a flash loans from 2 lenders:

  • 2,315,632 BNB (~$700m) on PancakeSwap through multiple pools. Not a lot of people know this, but as a Uniswap fork, PancakeSwap provides flash loans the same way Uniswap does.
Adding liquidity

Step 2: Then the attacker added 2.9m USDT and 7700 BNB into the USDT-WBNB pool on PancakeSwap. Following that, they swapped 2,315,632 BNB to USDT using the same pool, in order to manipulate the USDT pricing.

Let’s pause here for a second. What did this action cause for PancakeBunny? Let’s look at a screenshot that was posted by Peckshield earlier:

From the Twitter account of Peckshield

This is the mint function of PancakeBunny, rewarding those who locked their liquidity in the pool by minting BUNNY. Now remember, the attacker had already some USDT/WBNB in PancakeBunny’s pool. The above step 1 and step 2 allowed him to fool the minting code into thinking he had much more BNB than he actually had (by manipulating the USDT peg which was supposed to be stable).

So what happened?

BUNNY minting

Step 3: As a result of the manipulation, 7 million BUNNY were minted and given to the attacker.

Step 4: The attacker sold 4.8m BUNNY for 2.3m BNB and 2.9m USDT to repay his flash loans. Remember that he had to repay his flash loans in this same transaction or it would have been reversed. So at the end they had 2.2m BUNNY left

After the attack, it seems that the attacker has sold some into ETH and other token to move them around. It seems that they have made ~$40m with this attack.

A lot of recent attacks involve flash loans. Flash loans are a very popular tool for arbitragers and liquidators, and meant to be an useful and essential component of the DeFi ecosystem. However, the amounts that it allows a single user to borrow allow an easy price manipulation which leads to attacks like this. We do hope platforms will quickly find a way to protect themselves against such attacks.

I sincerely hope that none of you were not directly impacted by this attack. But seeing the price impact that this incident had on all major BSC players, unfortunately it does seem that we were all indirectly affected.

Stay strong and hodl!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store