DeFi Yield Farming Aggregator Pancake Bunny suffered a flash credit attack today in which the attacker got away with around $ 45 million in seconds.
The kicker? Nothing was hurt. The attacker took advantage of two things: Flash loans (an innovation in DeFi) and software vulnerabilities on a DeFi platform.
On Thursday, May 20th at 10:34 UTC, Pancake Bunny, a Binance Smart Chain (BSC) -based DeFi Yield Farming Aggregator and Optimizer, suffered a flash credit attack that exploited the Bunny protocol code. Before we dive into the details of the hack, there are a few terms that we should familiarize ourselves with:
Flash credit attack: A flash loan is a loan that is issued and returned within the time frame required to create a new block on the blockchain. It is a loan that does not require the borrower to provide any collateral. The borrower will quickly flip a profit on the amount and return the original loan before a new block is formed. In a flash credit attack, the scammer takes out the credit to manipulate the market and / or exploit software vulnerabilities in the code.
Automated Market Makers (AMMs): While not all decentralized exchanges are AMM platforms, some of the most popular are DEXs. AMM platforms enable automatic trading of cryptocurrencies using a programmed liquidity pool instead of a traditional order book where buyers and sellers come together.
Liquidity pools: Liquidity refers to how easily one asset can be converted into another without having a major impact on price. AMM platforms collect funds in a liquidity pool through a smart contract to facilitate decentralized trading, lending, and other finance functions. For decentralized exchanges such as Uniswap or PancakeSwap, liquidity pools enable the platforms to operate smoothly.
Liquidity providers and LP tokens: Liquidity providers are incentivized to supply liquidity pools with assets so that tokens can be easily traded on the platform. For example, a portion of the fees generated by trading within the pool can be used to “repay” liquidity providers. Additionally, when liquidity providers bring assets into a pool, the AMM platform automatically generates an LP token which can then be used in other functions as well – either on their native platform or in other DeFi apps – so liquidity providers can even get higher returns .
Total Value Locked (TVL): Used as a de facto metric for decentralized funding growth, Total Locked Up is the amount of principal that has been deposited into DeFi – often in the form of loan collateral or liquidity in a trading pool.
What do we know so far?
Contrary to previous reports that Pancake Bunny was stolen $ 1 billion, Igor IgamberdievThe Block Crypto research analyst announced that about $ 45 million (114,000 WBNB) had actually been stolen. The attacker took advantage of the use of flash loans through PancakeSwap (PCS).
Today, over $ 1 billion worth of BUNNY tokens were minted by Bunny Finance on BSC, resulting in over $ 40 million being stolen:
– 114,000 WBNB ($ 40M)
– 697k BUNNIES
Because of this, the BUNNY price dropped from $ 146 to $ 6 pic.twitter.com/BBVfWOHgZH
– Igor Igamberdiev (@FrankResearcher) May 20, 2021
In a series of tweets, Igor split the attacker’s actions into six steps, which Pancake Bunny confirmed post mortem::
At the moment, the attacker has already withdrawn 10.1,000 ETH ($ 23.5 million) across the nerve bridge to Ethereum, and another $ 14 million is at his BSC address. pic.twitter.com/h9taC5bcPj
– Igor Igamberdiev (@FrankResearcher) May 20, 2021
- Deposit USDBN worth 1BNB in the Bunny USDT-WBNB vault to stage the exploit. As a result of this deposit, 9,275 LPs were generated.
- Borrowed 2.3 million BNB (704 million USD) from seven PancakeSwap pools and 2.9 million USDT from ForTube Bank using flash loans.
- Stored a further 7,700 BNB and 2.9 million USDT liquidity in the PancakeSwap USDT-WBNB pool together with the LP tokens generated from step 1.
- 2.3 million BNB were traded in USDT via the PancakeSwap USDT-WBNB pool, flooding the pool with BNB and significantly reducing the number of USDTs in the pool.
- With the LP in the PancakeSwap USDT-WBNB pool, Bunny Finance believed that the exploiter was adding a large amount of BNB to the system, causing the system to mint 7 million BUNNY ($ 1 billion).
- Exploiter then sold 4.8M BUNNY for 2.3M WBNB and 2.9M USDT that were used to repay the Flash loans borrowed in Step 2.
As in pancake bunnies “Go plan forwardAll vaults are secure and no vaults have been breached. However, when the newly minted BUNNY from Step 5 flooded the market, BUNNY’s price plummeted. Part of Pancake Bunny’s TVL is in BUNNY, so even though the vault itself was not breached, TVL was still lost.
Who was injured by this attack?
First and foremost, the owners of BUNNY are those who have been most injured by this incident in two ways:
- With 7 million BUNNY tokens made from the air, existing tokens were diluted, lowering the price of BUNNY.
- Due to the sale of BUNNY tokens in the market, BUNNY’s liquidity – the ease with which BUNNY can be sold in the market – has been completely restricted.
In his “Go Forward Plan,” Pancake Bunny outlined the steps they are taking to accelerate the recovery from 1) TVL, 2) market cap, and 3) compensating everyone for their losses as quickly as possible.
What does this mean for Flash Loans, Flash Loan Attacks, and DeFi Platforms?
Flash loans are unique in the sense that borrowers are able to behave like whales in the markets with no collateral in place. Almost everyone can manipulate the market and exploit weaknesses within intelligent contract codes.
As in any emerging industry, mistakes are made at the outset, and the industry will learn from these types of attacks. Systems and infrastructure are then enforced and strengthened to ensure secure transactions for users of DeFi platforms.