The best way to respond to a $45 million bug hack is not to rush your next project out the door with even less review time.
The first thing to understand about the PancakeBunny hack is that it took place on May 19, with the hacker making off with about $45 million in a flash loan exploit, and tanking the price of BUNNY tokens by 96% from $220 to around $10 within a day. Some six weeks later, it had only recovered to about $15.
The second thing to understand is that the developers at Bunny Finance apparently didn’t learn their lesson very well. On July 16, the company’s new (although long-planned) Polygon blockchain fork, PolyBunny, was also hit, with a flash loan attack minting $2.1 million worth of POLYBUNNY — tanking its tokens from $10 to below $2.
Which means that despite the staggering BNB and BUNNY losses, the worst hit to coin holders of the automated market maker (AMM) and yield farming decentralized exchange (DEX) came from the damage done to the project’s two tokens’ price drops.
The attacks on PancakeBunny and PolyBunny are only the latest of a growing number of hacks on DeFi projects, according to leading blockchain intelligence and analytics firm CipherTrace. In a May 2021 report, the firm found that in the first four months of the year, 70% of all major crypto hacks and frauds targeted decentralized finance projects like these.
Worse, the funds lost in these two categories by the end of April totalled $239 million, compared with $170 million in all of 2020. And that was before the $45 million lost by PancakeBunny. Adding the $30 million Spartan protocol attack in May and several smaller attacks including BurgerSwap, AnySwap, ChainSwap (x2), THORChain and of course PolyBunny, and the losses are past $300 million so far this year.
Anatomy of an Exploit
The short version of what happened to PancakeBunny is that it suffered a flash loan attack. Keep in mind that a flash loan must be borrowed and repaid in a single transaction, which is what happened here.
The problem is that while flash loans must be borrowed and repaid in a single transaction, they are unsecured, meaning enormous, market-moving amounts can be borrowed. The PancakeBunny attack used this to great effect.
First, the hacker borrowed more than $700 million in Binance Coin (BNB) from seven PancakeBunny lending pools, as well as almost $3 million in Tether (USDT) from another source. They used this to manipulate the price of BNB using a bug in PancakeBunny’s BNB-USDT liquidity pool, which allowed them to mint almost seven million BUNNY in a complex, six-stage process (which Bunny Finance details here). This was dumped for about 2.4 million BNB — which caused the price of BUNNY to crater.
After repaying the flash loans, the hacker was left with 114,631 BNB worth about $45 million.
The exploit here was the result of a flaw in the PancakeBunny protocol that determined the amount of BUNNY governance tokens to be minted based on the amount of BNB compared to the amount of USDT in the pool.
Making Restitution
On June 17, Team Bunny announced a post-attack recovery plan centered on injecting “significant new value” into the PancakeBunny ecosystem, despite the challenges of the broader crypto bear market.
Specifically, the developers announced plans to accelerate the “design and product roadmap so that it will be able to bring all of the main elements online in the next month (instead of through the end of the year as was our initial expectation in more favorable climes).”
There were four of these, starting with a fork of the PancakeBunny BSC protocol onto new blockchains. The first of these forks was to be Polygon, which would use polyBUNNY tokens.
Next was the Qubit lending protocol (using new QBT tokens), followed by double farming Multiplexers and PancakeBunny Safe Swap — which will not support flash loans.
The goal was to maintain the platform’s value, increase the total value locked in the protocol, and shore up BUNNY.
Beyond that, Team Bunny came up with a way to compensate BUNNY holders for their losses on May 20. With BUNNY’s value then at about $39 million, a new token — Platinum BUNNY, or pBUNNY — was announced, as was a compensation pool consisting of performance fees going forward and a donation from the developers’ own Bunny holdings, among other things. And an “aggressive” buyback-and-burn program was announced to counteract the effect of the new tokens.
Five weeks later came the Mound Vault, a repository of the team-donated BUNNY and polyBUNNY tokens, QBT tokens and proceeds of future projects. It used MND tokens.
Unfortunately…
Post Post-Mortem
On July 17, the PancakeBunny Medium blog once again had the word “post-mortem” in the title.
A flash loan attack had been launched successfully against Polygon PancakeBunny. This time, the attacker used a $48 million flash loan to mint 2.1 million PolyBUNNY tokens, which were sold for Ether and used to repay the loan, netting the attacker 1,287.1 ETH, worth some $2.4 million.
The price of PolyBunny tanked from about $10 to about $2.
The Team Bunny developers coughed up $2.4 million worth of their own MND tokens.
Going Slower
In response to the second hack, Bunny Finance on July 21 announced that it is “slowing the pace” of its product releases in order to make security “its top priority.”
While the protocol’s “prior focus was on expanding the PancakeBunny ecosystem and injecting value into the PancakeBunny Community as quickly as possible in order to speed the recovery of our services,” Team Bunny said an extensive review of the events that led up to the second exploit forced it to revise the development and implementation plans to focus on creating “the strongest security regime in DeFi.”
This would include all new launches releasing smart contracts on testnets, creating “aggressive” bounty buckets and the completing “comprehensive” audits before mainnet launch. Beyond that, a second layer code review will be completed before any new products are released.
“This process can add weeks to the release roadmap, and we regret deeply that our desire to deliver ecosystem value in an extremely tight timeframe led us to choose to conduct audits and the beta release of Polygon.PancakeBunny simultaneously.”
BSC in the Crosshairs
The flash loan attacks are a growing problem for Binance Smart Chain, or BSC, an “Ethereum killer” blockchain that has seen roaring growth recently.
CipherTrace, for its part, announced analytics support for BSC on May 27.
Two days later, on May 29, a thread on the official BSC Twitter account warned: “There are >8 #flashloan hacks recently, we believe, an well-organized hackers are targeting #BSC now. It is [a] very challenging time for the BSC community.”
It went on to call on DApps using it to work with audit companies to test security — and if they are forks, to “double and triple check your changes from [the] original version.”
The thread also suggested real-time monitoring prepared to pause the protocol at the first sign of trouble, create a worst-case-scenario contingency plan and set up bug bounties.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.
