Code Security: The Past, Present and Future

Hello Bunny Fam,

As you are all aware, our project has suffered a Flash Loan attack, whereby the expoiter was able to manipulate the price of Bunny. First of all, we would like to remind the community again that your funds are safe! The exploit did not breach any of our actual vaults, it was more so a market manipulation fueled by a Flash Loan attack. Feel free to read the post mortem report: (https://pancakebunny.medium.com/hello-bunny-fam-a7bf0c7a07ba)

In essence, the exploiter transferred USDT and BNB to the Pancakeswap Pair contract, which called the minting of PancakePair contract pointing the receiver to the contract itself and the LP tokens remained on the PancakePair. The exploiter then called to remove liquidity and got the redundant LP tokens, resulting in the minter misunderstanding the redundant LP tokens as performance fees and minting an excess amount of Bunny.

That being said, we are happy to share that we have made changes to our code in order to prevent the same type of Flash Loan attack from happening again. Below are the two major changes enacted.

  1. The function, [PriceCalculatorBSC.sol] has been updated so that the token price oracle can use the Chainlink contract. The LP token price uses the code recommended by alpha homera. (ref: https://blog.alphafinance.io/fair-lp-token-pricing/) Using the decentralized price oracle from Chainlink we are able to establish “Fair asset prices” that will mitigate future price manipulations.
    Feel free to check the DiffChecker: https://www.diffchecker.com/S918SMpo
    On the right is the code that has been changed, highlighted in green vs. the left is the previous code highlighted in red.

Steps Ahead to Strengthen Security

Although this was an economic exploit resulting from flash loans, and not a breach in our vaults themselves, Team Bunny will take/have already taken steps to ensure future security and safety.

  1. We have received an audit for our single asset smart vaults from Hexlant Labs, a major auditing firm in Korea. We will be sharing the results soon!

Team PancakeBunny will use this unfortunate event as a learning lesson to strengthen our security measures, and come out the other end stronger than ever. We hope our example can also shed light and inform other actors in the DeFi space about the gravity and prevalence of flash loan attacks and other vulnerabilities resulting in a loss of user funds.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bunny Finance

One of the most popular auto-compounding yield aggregators on the Binance Smart Chain. https://pancakebunny.finance/