How scammers exploited vulnerabilities in Pancake Bunny’s smart contract code»CryptoNinjas

Earlier today, DeFi high-yield agricultural aggregator Pancake Bunny suffered a brief loan attack. The attacker lost approximately $45 million in just a few seconds.

Kicker? Nothing is violated. The attackers took advantage of two things: borrowing (an innovation of DeFi) and software vulnerabilities on the DeFi platform.

background

At 10:34 UTC on May 20th (Thursday), Pancake Bunny, a DeFi revenue agricultural aggregator and optimizer built on Binance Smart Chain (BSC), suffered a fast lending attack that used the code in the Bunny protocol . Before delving into the details of hacks, we should be familiar with some terms:

Flash loan attack: A flash purchase loan is a loan that is generated and repaid within the time frame required to create a new block on the blockchain. This is a loan that does not require the borrower to lay down any collateral. The borrower will quickly profit from this amount and refund the initial loan before forming a new block. In a fast loan attack, the scammer will take the loan to manipulate the market and/or exploit software vulnerabilities in the code.

Automatic market maker (AMM): Although not all decentralized exchanges are AMM platforms, some of the most popular DEXs are still. The AMM platform allows automatic trading of cryptocurrencies using a programmed liquidity pool instead of a traditional order book that brings together buyers and sellers.

Liquidity Pool: Liquidity refers to the ease with which one asset can be converted into another asset without much price impact. The AMM platform collects funds into a liquidity pool through smart contracts to facilitate decentralized transactions, lending and other financial functions. For decentralized exchanges such as Uniswap or PancakeSwap, the liquidity pool allows the platform to operate smoothly.

Liquidity providers and LP tokens: Incentivize liquidity providers to provide assets to the liquidity pool so that tokens can be easily traded on the platform. For example, part of the fees incurred through intra-pool transactions can be used to “repay” liquidity providers. In addition, when the liquidity provider invests assets in the asset pool, the AMM platform will automatically generate an LP token, and then the LP token can also be used for other functions (on its native platform or other DeFi applications) for liquidity Sex providers can even receive higher returns.

Total value lock (TVL): The locked-in total value is used as a factual indicator of decentralized financial growth, usually the amount of capital deposited into DeFi in the form of loan collateral or liquidity in the trading pool.

What do we know so far?

Contrary to the previously reported situation where Pancake Bunny was stolen $1 billion, Igor IgamberdievResearch analysts at The Block Crypto revealed that about 45 million U.S. dollars (114,000 WBNB) were actually stolen. The attackers used PancakeSwap (PCS) to take advantage of quick loans.

1/6

Today, BUNNY tokens worth more than $1B+ were minted from Bunny Finance on BSC, resulting in the theft of $40M+:

– 114k WBNB ($40M)
– 697k rabbit

As a result, the price of BUNNY fell from US$146 to US$6 pic.twitter.com/BBVfWOHgZH

-Igor Igamberdiev (@FrankResearcher) May 20, 2021

In a series of tweets, Igor decomposed the attacker’s behavior into six steps, which has been confirmed by Pancake Bunny Autopsy:

6/6

At present, the attacker has withdrawn 10.1k ETH (23.5 million US dollars) from Ethereum through the neural bridge, and another 14 million US dollars are on its BSC address. pic.twitter.com/h9taC5bcPj

-Igor Igamberdiev (@FrankResearcher) May 20, 2021

1. Deposit USDT worth 1BNB into the rabbit USDT-WBNB vault for attack. Due to this deposition, 9.275 LPs were generated.
2. Used emergency loans to borrow 2.3 million BNB (704 million U.S. dollars) from 7 PancakeSwap pools and 2.9 million USDT from ForTube Bank.
3. Deposit 7,700 BNB and 2.9 million USDT of liquidity into the PancakeSwap USDT-WBNB pool, as well as the LP tokens generated in step 1.
4. Through the PancakeSwap USDT-WBNB pool, 2.3 million BNB was traded to USDT, which flooded the funds in the BNB pool and significantly reduced the amount of USDT in the pool.
5. With the help of LPs in the PancakeSwap USDT-WBNB pool, Bunny Finance believes that the exploiter added a large amount of BNB to the system, which triggered the system, causing the system to raise 7 million BUNNY ($1 billion).
6. Then, Exploiter sold 4.8 million pounds for $2.3 million WBNB and $2.9 million USDT, which were then used to repay the fast loan borrowed in step 2.

As Pancake Bunny’s “Forward plan“, all vaults are safe and no vault is violated. However, when the newly minted BUNNY flooded the market in step 5, the price of BUNNY plummeted. Part of Pancake Bunny’s TVL is located in BUNNY, so-despite the vault Not damaged itself-TVL is still lost.

Who was hurt by this attack?

The biggest victims in this incident were BUNNY’s main victims:

• 7 million BUNNY tokens were created out of thin air, and the existing tokens were diluted, causing the price of BUNNY to fall.
• Due to the sale of BUNNY tokens in the market, the liquidity of BUNNY (that is, how easy it is for BUNNY to sell in the market) has been completely blocked.

Pancake Bunny outlined the measures they have taken to promote 1) TVL, 2) market capitalization and 3) compensation for everyone’s losses as quickly as possible in their “plan forward”.

What does this mean for fast loans, fast loan attacks, and DeFi platforms?

The unique feature of short-term loans is that borrowers can be like whales in the market with almost no collateral, so almost everyone can manipulate the market and exploit vulnerabilities in the smart contract code.

As with any emerging industry, mistakes are made at the beginning, and the industry will learn from these types of attacks. Then the system and infrastructure will be strengthened to ensure the security of transactions using the DeFi platform.