Code Security: The Past, Present and Future

Hello Bunny Fam,

As you are all aware, our project has suffered a Flash Loan attack, whereby the expoiter was able to manipulate the price of Bunny. First of all, we would like to remind the community again that your funds are safe! The exploit did not breach any of our actual vaults, it was more so a market manipulation fueled by a Flash Loan attack. Feel free to read the post mortem report: (https://pancakebunny.medium.com/hello-bunny-fam-a7bf0c7a07ba)

In essence, the exploiter transferred USDT and BNB to the Pancakeswap Pair contract, which called the minting of PancakePair contract pointing the receiver to the contract itself and the LP tokens remained on the PancakePair. The exploiter then called to remove liquidity and got the redundant LP tokens, resulting in the minter misunderstanding the redundant LP tokens as performance fees and minting an excess amount of Bunny.

That being said, we are happy to share that we have made changes to our code in order to prevent the same type of Flash Loan attack from happening again. Below are the two major changes enacted.

1. The function, [PriceCalculatorBSC.sol] has been updated so that the token price oracle can use the Chainlink contract. The LP token price uses the code recommended by alpha homera. (ref: https://blog.alphafinance.io/fair-lp-token-pricing/) Using the decentralized price oracle from Chainlink we are able to establish “Fair asset prices” that will mitigate future price manipulations.
   Feel free to check the DiffChecker: https://www.diffchecker.com/S918SMpo
   On the right is the code that has been changed, highlighted in green vs. the left is the previous code highlighted in red.
2. We have updated the code so that if there is an irregular pair balance in the pair contract of Bunny minter, the protocol will check it through, remove excess irregularities (dust) and remove liquidity seamlessly. We have back tested this strategy and have confirmed it to block a potential flash loan attack. Furthermore, the function, [BunnyMinterV2.sol] has also been updated whereby the performance fees accrued are not swapped into Bunny/Bnb, but will be sent to treasury contract in their respective tokens. Previously, performance fees were held in Bunny/BNB resulting in a crash in the value, as the Bunny/BNB price was manipulated through the exploit. The minting calculation of performance fee will now use the Chainlink price oracle data as seen above in #1.
   DiffChecker: https://www.diffchecker.com/mtT6bZPj

Steps Ahead to Strengthen Security

Although this was an economic exploit resulting from flash loans, and not a breach in our vaults themselves, Team Bunny will take/have already taken steps to ensure future security and safety.

1. We have received an audit for our single asset smart vaults from Hexlant Labs, a major auditing firm in Korea. We will be sharing the results soon!
2. After we look through the quality of the SAV audit report, we will choose a few auditing firms to audit our entire code, including our upcoming Cross Chain. Our Cross Chain code is expected to be finished within the week, so we expect full audits from multiple firms starting within the next few weeks.
3. We have most recently onboarded a core member of our development team who has a PhD degree in computer science, 12 years of coding experience and 5 years of experience from one of Korea’s leading cyber security research centers. We expect with his addition to the team, and his professional connections in the world of white hats (ethical hacking), will strengthen Bunny’s cybersecurity and internal code.
4. We have some exciting new ideas for a native in-house insurance product. It is still in the ideation phase, but we hope to roll this out in the near future, to act as an additional level of security buffer.
5. As stated in our “Go Forward Plan” our new, innovative lending platform, codename “QFI’’ will be ready for a soft launch in 2 months time. Our single asset vaults, which serve as an integral part of our future cross chain launch, currently has an external exposure to the Venus Platform. As such, after launching QFI, we will be vertically integrating this lending platform into our single asset vaults, resulting in a seamless, end to end cross chain that is controlled and developed all in-house. This shift will mitigate future vulnerabilities tied to external platform exposure.

Team PancakeBunny will use this unfortunate event as a learning lesson to strengthen our security measures, and come out the other end stronger than ever. We hope our example can also shed light and inform other actors in the DeFi space about the gravity and prevalence of flash loan attacks and other vulnerabilities resulting in a loss of user funds.