PancakeBunny Finance, a decentralized finance (DeFi) protocol based on the Binance Smart Chain, was exploited late Wednesday and saw $45 million drained from its ecosystem.
The attacker used an exploit to mint millions of bunny tokens and sold the majority of them for BNB, leaving liquidity providers short. While this didn’t affect the protocol’s vaults directly, it sank the price of bunny tokens, affecting all holders.
Here’s how the attack happened
The exploitation occured because PancakeBunny had a bug regarding how the protocol calculates the number of new bunny tokens to be minted, according to The Block Research’s Igor Igamberdiev. Bunny (BUNNY) is the native governance token of the protocol.
The calculation function for minting new tokens depended on the price of the BNB-USDT pool. If the ratio of the BNB or USDT reserves of this pool were higher, the pool’s price would fall — and vice versa. In other words, the price of this pool could be manipulated based on the reserves of BNB and USDT.
The exploiter took advantage of this bug by using flash loans. They took eight flash loans, seven from PancakeSwap pools and one from ForTube Bank, a DeFi lending protocol. The attacker borrowed 2.3 million BNB (worth $704 million) and 2.9 million USDT ($2.9 million), for a total of nearly $707 million.
These flash loans were then used to manipulate the price of BNB in the BNB-USDT pool. The attacker used a small portion of BNB and USDT from the flash loans to provide liquidity to that pool.
They then swapped all the remaining BNB tokens from the flash loans in the pool to manipulate the reserves in the pool, minting 7 million bunny tokens in the process.
The attacker then sold most of the minted bunny tokens for BNB, resulting in a price crash of nearly 100% for bunny. The token fell from $146 to $0.9 following the attack. At the time of writing, bunny is trading at around $28, according to CoinGecko.
The price crash means bunny holders have suffered losses due to the exploitation. The PancakeBunny protocol tweeted that it is “working on a reimbursement plan.”
In the process, the exploiter pocketed $45 million. They swapped the minted bunny for BNB. Then they used most of the BNB to pay back the eight flash loans. The remaining bunny and BNB resulted in a profit for the attacker.
The attacker then went on to swap some of the BNB to the anyETH token via Nerve Finance’s bridge and transferred it to an Ethereum address. At the time of writing, $41.4 million is sitting on the attacker’s Ethereum address, and $4 million is on their Binance Smart Chain address.
© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.