Binance Smart Chain’s PancakeBunny protocol exploited, $45 million drained

May 20, 2021 | The Block News | 0 comments


PancakeBunny Finance, a decentralized finance (DeFi) protocol based on the Binance Smart Chain, was exploited late Wednesday and saw $45 million drained from its ecosystem.

The attacker used an exploit to mint millions of bunny tokens and sold the majority of them for BNB, leaving liquidity providers short. While this didn’t affect the protocol’s vaults directly, it sank the price of bunny tokens, affecting all holders.

Here’s how the attack happened

The exploitation occured because PancakeBunny had a bug regarding how the protocol calculates the number of new bunny tokens to be minted, according to The Block Research’s Igor Igamberdiev. Bunny (BUNNY) is the native governance token of the protocol.

The calculation function for minting new tokens depended on the price of the BNB-USDT pool. If the ratio of the BNB or USDT reserves of this pool were higher, the pool’s price would fall — and vice versa. In other words, the price of this pool could be manipulated based on the reserves of BNB and USDT.

The exploiter took advantage of this bug by using flash loans. They took eight flash loans, seven from PancakeSwap pools and one from ForTube Bank, a DeFi lending protocol. The attacker borrowed 2.3 million BNB (worth $704 million) and 2.9 million USDT ($2.9 million), for a total of nearly $707 million.

These flash loans were then used to manipulate the price of BNB in the BNB-USDT pool. The attacker used a small portion of BNB and USDT from the flash loans to provide liquidity to that pool.

They then swapped all the remaining BNB tokens from the flash loans in the pool to manipulate the reserves in the pool, minting 7 million bunny tokens in the process.

The attacker then sold most of the minted bunny tokens for BNB, resulting in a price crash of nearly 100% for bunny. The token fell from $146 to $0.9 following the attack. At the time of writing, bunny is trading at around $28, according to CoinGecko.

The price crash means bunny holders have suffered losses due to the exploitation. The PancakeBunny protocol tweeted that it is “working on a reimbursement plan.”

In the process, the exploiter pocketed $45 million. They swapped the minted bunny for BNB. Then they used most of the BNB to pay back the eight flash loans. The remaining bunny and BNB resulted in a profit for the attacker.

The attacker then went on to swap some of the BNB to the anyETH token via Nerve Finance’s bridge and transferred it to an Ethereum address. At the time of writing, $41.4 million is sitting on the attacker’s Ethereum address, and $4 million is on their Binance Smart Chain address.

© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

News Source from

Related Articles

Polywhale Finance founders accused of rug pull amid abrupt shut down

Polywhale Finance founders accused of rug pull amid abrupt shut down

The founders of the DeFi yield farm have allegedly redeemed over $1 million worth of tokens as the Treasury wallet was drained Monday. Developers of Polywhale Finance, a leading yield farm on the Polygon network, have abandoned the project in what appears to be an...

Pin It on Pinterest

Share This