PancakeBunny Flash Arbitrage

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 23:52, 25 January 2023 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/pancakebunnyflasharbitrage.php}} thumb|PancakeBunnyPancakeBunny is a staking platform for crypto-assets. Hackers used the smart contract along with flash loans to manipulate prices, and made millions in profit. Estimates varied widely between $45m and $200m. The project has made an effort to reimburse investors and continues to operate. This is a global/international ca...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

PancakeBunny

PancakeBunny is a staking platform for crypto-assets. Hackers used the smart contract along with flash loans to manipulate prices, and made millions in profit. Estimates varied widely between $45m and $200m.

The project has made an effort to reimburse investors and continues to operate.

This is a global/international case not involving a specific country.

About PancakeBunny

"Our Bunny team is dedicated to support the underlying DeFi ecosystem by providing users with an easy way to automatically compound their yields through the Binance Smart Chain. The DeFi movement, and more specifically Yield Aggregators, have seen a huge surge in activity in 2020. The Rise of Yearn, which uses existing protocols such as Compound, DyDx, and Curve, has influenced the development of various other Yield Aggregator projects on the Ethereum Network. Our goal is to expand that same interest through the Binance Smart Chain Ecosystem."

"Bunny, like other yield aggregators on BSC, uses Pancake Swap since it is the most prominent platform for Yield Farming. Bunny is continuously striving to create innovative new Yield Optimization Strategies. Currently we have BUNNY, CAKE, BUNNY-BNB, CAKE-BNB BUSD-BNB, USDT-BNB, DAI-BNB, USDC-BNB, VAI-BUSD, USDT-BUSD Pools. Furthermore, on our website, you can see we have the maximizer vaults. These strategies allow users to get the profits from certain pools and these profits are automatically auto compounded into the CAKE compounding pool, giving users a much greater return, while protecting the principal. We are currently launching our cross chain project, which will allow ETH-BSC cross chain, bringing more ETH users on bsc yield farming as well."

"Popular Binance Smart Chain-based decentralized finance protocol PancakeBunny has suffered a major exploit that allowed a hacker to make off with more than $200 million worth of crypto assets." "Reports have it that the hacker stole an estimated 700,000 BUNNY tokens and an additional 114,000 BNB."

"The PancakeBunny team confirmed the incident in a tweet on May 20, explaining that there was no smart contract hack or vault breach. Instead, what the attacker did was more of an “economic exploit.”" "Our project has suffered a Flash Loan attack, whereby the expoiter was able to manipulate the price of Bunny. First of all, we would like to remind the community again that your funds are safe! The exploit did not breach any of our actual vaults, it was more so a market manipulation fueled by a Flash Loan attack."

"While the broader crypto market was dumping, a smart little hacker managed to bag himself a nice jackpot, estimated by some to be worth $1 billion (£710 million)! To simplify the hack, the user took out a flash loan on PancakeSwap to borrow a large amount of Binance Coin (BNB). “But wait,” I hear you cry, “PancakeSwap doesn’t offer flash loans, what are you talking about?!” Well, let me tell you! Although PancakeSwap doesn’t draw much attention to this, flash loans are native to Uniswap V2. PancakeSwap is one of Uniswap’s many forks, meaning it has the same functions, even if they are hidden from regular users."

"[T]he exploiter transferred USDT and BNB to the Pancakeswap Pair contract, which called the minting of PancakePair contract pointing the receiver to the contract itself and the LP tokens remained on the PancakePair. The exploiter then called to remove liquidity and got the redundant LP tokens, resulting in the minter misunderstanding the redundant LP tokens as performance fees and minting an excess amount of Bunny."

“We would like to remind the community that no vaults have been compromised. The exploit was an economic exploit that attacked the price of BUNNY, using flash loans. We repeat, no vaults have been breached.”

"Despite the rumors circulating that the attacker made off with $1 billion worth of tokens, it appears that the mechanics of the exploit were confused for the actual proceeds of the attack. Sources calculate the real losses to be around just $50 million. None of the vaults on the platform were compromised."

"The Pancake Bunny team has temporarily disabled deposits into the protocol and has stated that they are working on a reimbursement plan for affected users. An official post-mortem report will also be released soon."

"The team appreciates your patience and support during these times. Deposits and Withdrawals have been restored as of 06:30, May 21 UTC. PancakeBunny and the BUNNY token should all operate as they did before."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - PancakeBunny Flash Arbitrage
Date Event Description
May 19th, 2021 12:00:00 AM First Event This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

While decentralized finance is made progressively more secure after learning from each attack, the most secure way of storing cryptoassets continues to be offline multi-signature wallets with keys held by reputable people.

References

Rekt - Leaderboard (May 23)

Rekt - PancakeBunny - REKT (May 23)

Flash Loan Attacks Drain 2 Binance Smart Chain Defi Projects for $6 Million – News Bitcoin News (May 23)

DeFi Hack Analysis: Project PancakeBunny Attacked via Major $200 Million Flash Loan Vulnerability (May 24)

BREAKING: BSC-based DeFi Project Pancake BUNNY Suffers $1 Billion Exploit (May 24)

Flash Loan Attack Causes DeFi Token Bunny to Crash Over 95% (May 24)

Has Pancake Bunny fallen victim to a $1 billion hack? - CoinTribune (May 24)

PancakeBunny tanks 96% following $200M flash loan exploit (May 24)

Hacker steals $200 million from PancakeBunny in a flash loan exploit (Jun 1)

BUNNY | No 1. Yield Optimizer (Jun 1)

Introduction — PancakeBunny Docs documentation (Jun 1)

Hopping On Pancakebunny Restored (Jun 1)

Code Security The Past Present And Future (Jun 1)

Pancake Bunny price today, BUNNY live marketcap, chart, and info | CoinMarketCap (Jun 1)

Hello Bunny Fam (Jun 1)

BSC's “Pancake Bunny” Exploited, Community Claims $1 Billion Loss - DeFi Rate (Jun 1)

@PancakeBunnyFin Twitter (Jun 1)

Pancake Bunny Hack (new update) - YouTube (Jun 1)

Slowmist Pancakebunny Hack Analysis (Jun 1)

Pancake Bunny Saga Revealing All The Details of Tough Transformation (Jun 1)

Pancake Bunny Exploit: $44 Million Stolen as BUNNY Token Crashed 99% in Seconds (Jun 1)

PancakeBunny Attacked With Massive $200M Flash Loan Exploit - BeInCrypto (Jun 1)

PancakeBunny (BUNNY) Part 2: ECONOMIC EXPLOIT, GO FORWARD PLAN & PRICE UPDATE - YouTube (Jun 1)

Pancake Bunny Just Died... $1 Billion EXPLOIT!! PANCAKE BUNNY HACKED | $BUNNY - YouTube (Jun 1)

@RektHQ Twitter (Jun 18)

PancakeBunny hacked for $40M+ (Jun 18)

SlowMist Hacked - SlowMist Zone (May 17)

Flash Loan Attack Causes DeFi Token Bunny to Crash Over 95% - CoinDesk (Jun 25)

blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10)

Pancakebunny Incident Root Cause Analysis (Aug 10)

Address 0xa0acc61547f6bd066f7c9663c17a312b6ad7e187 | BscScan (Aug 10)

@FrankResearcher Twitter (Aug 10)

BSC PancakeBunny Exploit Post Mortem | cmichel (Aug 10)

Knownsec Blockchain Lab|Binance SmartChain PancakeBunny (BUNNY) Attack Event Analysis | by Knownsec Blockchain Lab | Medium (Aug 10)

The Pancakebunny Bunny Pool Incident Analysis (Aug 10)

Hack Track Pancake Bunny Hack (Aug 10)

@RektHQ Twitter (Aug 10)

CertiK Blockchain Security Leaderboard (May 31)