BSC DeFi app ‘Pancakebunny’ releases post-mortem of $2.4 million exploit BSC DeFi app ‘Pancakebunny’ releases post-mortem of $2.4 million exploit
🚨 This article is 3 years old...

BSC DeFi app ‘Pancakebunny’ releases post-mortem of $2.4 million exploit

1,281 Ethereum (ETH) worth approximately $2.4 million stolen in a flash loan attack.

BSC DeFi app ‘Pancakebunny’ releases post-mortem of $2.4 million exploit

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

In last week’s attack on the Polygon (MATIC) and QuickSwap (QUICK) version of the Binance Smart Chain (BSC) yield farming protocol PancakeBunny, 2.1 million PolyBunny (polyBUNNY) tokens were minted, resulting in an 82% price plunge from $10 prior to the exploit, to just over $2 post the initial damage.

In the aftermath of the recent decentralized finance (DeFi) exploit, the PancakeBunny (BUNNY) team published a post mortem and compensation plan as it revised its protocols to ensure more security. 

Flash loan attack

PolyBunny, a yield farming protocol running on the Polygon network and QuickSwap decentralized exchange (DEX) based on Ethereum (ETH), got exploited for $2.4 million on July 16.

Chronologically, the attacker made a small deposit ( roughly $19,203) in one of the Bunny Vaults, while at the same time, made a massive deposit (roughly $47,990,975) directly to SushiSwap, and by calling the “withdrawAll” function executed the attack with the amount deposited to SushiSwap as interest.

By successfully manipulating the oracle to increase the interest, the inflated performance fee resulted in minting roughly 2.1 million PolyBunny tokens to the attacker, who at that point repaid Aave’s flash loan and exited the attack with about 1,281 Ethereum, according to the official post mortem.


While the protocol confirmed its Polygon and BSC vaults as the SushiSwap contract was safe, it reassured that it will compensate those holding the protocol’s native tokens at the time of the attack. 

“Team Bunny will distribute a total of $2.4 million in MND tokens as total compensation to polyBUNNY holders. This amount corresponds to the amount that was exploited by the attacker.”

MND is not a protocol token minted over time but a fixed-volume utility token associated with the Mound Vault that collects and distributes the proceeds of the ecosystem’s expansion.

Following the exploit, the team announced it has “revised its protocols to maximize security for the launch of new products,” while publishing details on the Qubit lending protocol launch process and the Mound (MND) Vault update.

The protocol’s native token PolyBunny fell 85% from its all-time high of $22.9 on July 7, according to Coingecko

Binance Smart Chain version, the  PancakeBunny token, is currently trading at $13.22 as its price dropped 29% in the past seven days. 

Even though according to the team “BSC BUNNY has in no way been affected” in this particular exploit, roughly two months ago, CryptoSlate reported that PancakeBunny suffered a similar but more damaging flash loan attack.

Mentioned in this article
Posted In: , DeFi, Hacks, Tokens