$200 000 000 USD

MAY 2021

GLOBAL

PANCAKEBUNNY

DESCRIPTION OF EVENTS

"Our Bunny team is dedicated to support the underlying DeFi ecosystem by providing users with an easy way to automatically compound their yields through the Binance Smart Chain. The DeFi movement, and more specifically Yield Aggregators, have seen a huge surge in activity in 2020. The Rise of Yearn, which uses existing protocols such as Compound, DyDx, and Curve, has influenced the development of various other Yield Aggregator projects on the Ethereum Network. Our goal is to expand that same interest through the Binance Smart Chain Ecosystem."

 

"Bunny, like other yield aggregators on BSC, uses Pancake Swap since it is the most prominent platform for Yield Farming. Bunny is continuously striving to create innovative new Yield Optimization Strategies. Currently we have BUNNY, CAKE, BUNNY-BNB, CAKE-BNB BUSD-BNB, USDT-BNB, DAI-BNB, USDC-BNB, VAI-BUSD, USDT-BUSD Pools. Furthermore, on our website, you can see we have the maximizer vaults. These strategies allow users to get the profits from certain pools and these profits are automatically auto compounded into the CAKE compounding pool, giving users a much greater return, while protecting the principal. We are currently launching our cross chain project, which will allow ETH-BSC cross chain, bringing more ETH users on bsc yield farming as well."

 

"Popular Binance Smart Chain-based decentralized finance protocol PancakeBunny has suffered a major exploit that allowed a hacker to make off with more than $200 million worth of crypto assets." "Reports have it that the hacker stole an estimated 700,000 BUNNY tokens and an additional 114,000 BNB."

 

"The PancakeBunny team confirmed the incident in a tweet on May 20, explaining that there was no smart contract hack or vault breach. Instead, what the attacker did was more of an “economic exploit.”" "Our project has suffered a Flash Loan attack, whereby the expoiter was able to manipulate the price of Bunny. First of all, we would like to remind the community again that your funds are safe! The exploit did not breach any of our actual vaults, it was more so a market manipulation fueled by a Flash Loan attack."

 

"While the broader crypto market was dumping, a smart little hacker managed to bag himself a nice jackpot, estimated by some to be worth $1 billion (£710 million)! To simplify the hack, the user took out a flash loan on PancakeSwap to borrow a large amount of Binance Coin (BNB). “But wait,” I hear you cry, “PancakeSwap doesn’t offer flash loans, what are you talking about?!” Well, let me tell you! Although PancakeSwap doesn’t draw much attention to this, flash loans are native to Uniswap V2. PancakeSwap is one of Uniswap’s many forks, meaning it has the same functions, even if they are hidden from regular users."

 

"[T]he exploiter transferred USDT and BNB to the Pancakeswap Pair contract, which called the minting of PancakePair contract pointing the receiver to the contract itself and the LP tokens remained on the PancakePair. The exploiter then called to remove liquidity and got the redundant LP tokens, resulting in the minter misunderstanding the redundant LP tokens as performance fees and minting an excess amount of Bunny."

 

“We would like to remind the community that no vaults have been compromised. The exploit was an economic exploit that attacked the price of BUNNY, using flash loans. We repeat, no vaults have been breached.”

 

"Despite the rumors circulating that the attacker made off with $1 billion worth of tokens, it appears that the mechanics of the exploit were confused for the actual proceeds of the attack. Sources calculate the real losses to be around just $50 million. None of the vaults on the platform were compromised."

 

"The Pancake Bunny team has temporarily disabled deposits into the protocol and has stated that they are working on a reimbursement plan for affected users. An official post-mortem report will also be released soon."

 

"The team appreciates your patience and support during these times. Deposits and Withdrawals have been restored as of 06:30, May 21 UTC. PancakeBunny and the BUNNY token should all operate as they did before."

PancakeBunny is a staking platform for crypto-assets. Hackers used the smart contract along with flash loans to manipulate prices, and made millions in profit. Estimates varied widely between $45m and $200m.

 

The project has made an effort to reimburse investors and continues to operate.

HOW COULD THIS HAVE BEEN PREVENTED?

While decentralized finance is made progressively more secure after learning from each attack, the most secure way of storing cryptoassets continues to be offline multi-signature wallets with keys held by reputable people.

 

Check Our Framework For Safe Secure Exchange Platforms

Rekt - Leaderboard (May 24)
Rekt - PancakeBunny - REKT (May 24)
Flash Loan Attacks Drain 2 Binance Smart Chain Defi Projects for $6 Million – News Bitcoin News (May 24)
DeFi Hack Analysis: Project PancakeBunny Attacked via Major $200 Million Flash Loan Vulnerability (May 25)
BREAKING: BSC-based DeFi Project Pancake BUNNY Suffers $1 Billion Exploit (May 25)
Flash Loan Attack Causes DeFi Token Bunny to Crash Over 95% (May 25)
Has Pancake Bunny fallen victim to a $1 billion hack? - CoinTribune (May 25)
PancakeBunny tanks 96% following $200M flash loan exploit (May 25)
Hacker steals $200 million from PancakeBunny in a flash loan exploit (Jun 2)
BUNNY | No 1. Yield Optimizer (Jun 2)
Introduction — PancakeBunny Docs documentation (Jun 2)
Hopping On Pancakebunny Restored (Jun 2)
Code Security The Past Present And Future (Jun 2)
Pancake Bunny price today, BUNNY live marketcap, chart, and info | CoinMarketCap (Jun 2)
Hello Bunny Fam (Jun 2)
BSC's “Pancake Bunny” Exploited, Community Claims $1 Billion Loss - DeFi Rate (Jun 2)
@PancakeBunnyFin Twitter (Jun 2)
Pancake Bunny Hack (new update) - YouTube (Jun 2)
Slowmist Pancakebunny Hack Analysis (Jun 2)
Pancake Bunny Saga Revealing All The Details of Tough Transformation (Jun 2)
Pancake Bunny Exploit: $44 Million Stolen as BUNNY Token Crashed 99% in Seconds (Jun 2)
PancakeBunny Attacked With Massive $200M Flash Loan Exploit - BeInCrypto (Jun 2)
PancakeBunny (BUNNY) Part 2: ECONOMIC EXPLOIT, GO FORWARD PLAN & PRICE UPDATE - YouTube (Jun 2)
Pancake Bunny Just Died... $1 Billion EXPLOIT!! PANCAKE BUNNY HACKED | $BUNNY - YouTube (Jun 2)
@RektHQ Twitter (Jun 19)
PancakeBunny hacked for $40M+ (Jun 19)
SlowMist Hacked - SlowMist Zone (May 18)
Flash Loan Attack Causes DeFi Token Bunny to Crash Over 95% - CoinDesk (Jun 26)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Pancakebunny Incident Root Cause Analysis (Aug 11)
Address 0xa0acc61547f6bd066f7c9663c17a312b6ad7e187 | BscScan (Aug 11)
@FrankResearcher Twitter (Aug 11)
BSC PancakeBunny Exploit Post Mortem | cmichel (Aug 11)
Knownsec Blockchain Lab|Binance SmartChain PancakeBunny (BUNNY) Attack Event Analysis | by Knownsec Blockchain Lab | Medium (Aug 11)
The Pancakebunny Bunny Pool Incident Analysis (Aug 11)
Hack Track Pancake Bunny Hack (Aug 11)
@RektHQ Twitter (Aug 11)
CertiK Blockchain Security Leaderboard (Jun 1)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.