BSC DeFi app ‘Pancakebunny’ releases post-mortem of $2.4 million exploit
1,281 Ethereum (ETH) worth approximately $2.4 million stolen in a flash loan attack.
In last week’s attack on the Polygon (MATIC) and QuickSwap (QUICK) version of the Binance Smart Chain (BSC) yield farming protocol PancakeBunny, 2.1 million PolyBunny (polyBUNNY) tokens were minted, resulting in an 82% price plunge from $10 prior to the exploit, to just over $2 post the initial damage.
In the aftermath of the recent decentralized finance (DeFi) exploit, the PancakeBunny (BUNNY) team published a post mortem and compensation plan as it revised its protocols to ensure more security.
Flash loan attack
PolyBunny, a yield farming protocol running on the Polygon network and QuickSwap decentralized exchange (DEX) based on Ethereum (ETH), got exploited for $2.4 million on July 16.
Chronologically, the attacker made a small deposit ( roughly $19,203) in one of the Bunny Vaults, while at the same time, made a massive deposit (roughly $47,990,975) directly to SushiSwap, and by calling the “withdrawAll” function executed the attack with the amount deposited to SushiSwap as interest.
By successfully manipulating the oracle to increase the interest, the inflated performance fee resulted in minting roughly 2.1 million PolyBunny tokens to the attacker, who at that point repaid Aave’s flash loan and exited the attack with about 1,281 Ethereum, according to the official post mortem.
1⃣ Attacker borrowed extremely large number of tokens
2⃣ Deposited small amount in SushiSwap USDC-USDT Pool
3⃣ Directly deposited in <minichef> to get high interest
4⃣ Manipulated oracle to increase the interest
5⃣ Minted polyBUNNY— pancakebunny.finance (@PancakeBunnyFin) July 16, 2021
Aftermath
While the protocol confirmed its Polygon and BSC vaults as the SushiSwap contract was safe, it reassured that it will compensate those holding the protocol’s native tokens at the time of the attack.
“Team Bunny will distribute a total of $2.4 million in MND tokens as total compensation to polyBUNNY holders. This amount corresponds to the amount that was exploited by the attacker.”
MND is not a protocol token minted over time but a fixed-volume utility token associated with the Mound Vault that collects and distributes the proceeds of the ecosystem’s expansion.
Following the exploit, the team announced it has “revised its protocols to maximize security for the launch of new products,” while publishing details on the Qubit lending protocol launch process and the Mound (MND) Vault update.
In light of the recent exploit, Team Bunny has revised its protocols to maximize security for the launch of new products.
Please visit the link below for more details on the revised Qubit launch process and an update on our Mound (MND) Vault.https://t.co/E9qWs69j2Q
— pancakebunny.finance (@PancakeBunnyFin) July 19, 2021
The protocol’s native token PolyBunny fell 85% from its all-time high of $22.9 on July 7, according to Coingecko.
Binance Smart Chain version, the PancakeBunny token, is currently trading at $13.22 as its price dropped 29% in the past seven days.
Even though according to the team “BSC BUNNY has in no way been affected” in this particular exploit, roughly two months ago, CryptoSlate reported that PancakeBunny suffered a similar but more damaging flash loan attack.