- About the Exploit
- Plan Objectives
- Plan for PancakeBunny Operations — BUNNY Emissions, Bunny Pool
- Value Retained by Original BUNNY Holders (ROV)
- Plan for New Tokens, Platinum BUNNY (pBUNNY)
- Compensation Pool for pBUNNY
- Performance Fee Contribution (C1)
- Team Contribution (C2)
- Recovered Funds Contribution (C3)
- QFI Token Contribution (C4)
- Compensation Process
- pBUNNY Swap
- Total Circulating BUNNY Post-Swap
- Plan to Buy Back and Burn
Summary — TL;DR
- No vaults were compromised. The exploit crashed the price of BUNNY. $1bn in TVL was not stolen. Please see our detailed post mortem.
- Once code has been fixed in the next 24 hours, PancakeBunny will resume normal operations with increased BUNNY emissions. Over the next 90 days, the Bunny Pool will disburse 100% of the performance fees accumulated up to the time of the exploit.
- At the present time, Original BUNNY Holders as a class have retained approximately $39M in value.
- We will compensate Original Holders for the difference between the market cap at the time of the exploit and the current retained value of $39M (the Losses) by issuing a new token, pBUNNY, and by creating a Compensation Pool
- The Compensation Pool will be funded by Performance Fees, a direct contribution from the Team, any funds recovered from the exploit, and an airdrop of tokens for QFI, a new lending/swap project designed to mitigate dependencies on Venus and PancakeSwap
- At the end of 90 days, the Original Holders will swap their pBUNNY for BUNNY at a discount to the market rate
- The problem of increased BUNNY Supply will be mitigated by an aggressive buy back and burn program that will include the no-loss Bunny Pots, Cross Chain farming fees, and, if necessary, the burning of Team Bunny for an optimal period of time
Hello Bunny Fam, and thank you all for your patience.
About the Exploit
1. First of all, all of the Vaults are safe. No vaults were breached, and $1bn in TVL WAS NOT STOLEN from our vaults. However, a hacker was indeed able to gain ~$45M from this incident.
2. Where did the money come from, if not from the vaults? This was an economic exploit that combined a flash loan attack and took advantage of the low liquidity on PCS V1 to mint ~6.9M BUNNY and then dump it on the market. We have researched and isolated the vulnerability, detailed a post mortem, and should have a fix in place within the next 24 hours.
3. If it was only $45M and it wasn’t from the Vaults, then why the huge drop in TVL? The crash in BUNNY price affected other vaults with BUNNY exposure. Therefore, we locked Vaults within the hour.
4. We have devised a plan designed to drive the recovery of 1) TVL, 2) Market Cap 3) and compensate everyone for their Losses as soon as possible. We are able to do so because this was an economic exploit that attacked BUNNY, so we are not completely dependent on recovering funds from the hacker. Our target is to resume deposits and withdrawals at around 06:30, May 21 UTC (when timelock is executed), and we will turn off the 0.5% withdrawal fee for the time being.
Plan for PancakeBunny Operations, BUNNY Emissions, Bunny Pool
5. First — BUNNY will continue to operate as before, but with a higher fixed emission rate of X BUNNY per BNB, where X > 125% of the market price of BNB / the market price of BUNNY. For example, if the market price of BNB is $300 and BUNNY is $30, then X = (125% of 10) = 12.5. This new rate of emissions will be set to ensure a high APY to retain and attract TVL (the “New Emissions Rate”, or “NER”).
6. Everyone who holds BUNNY tokens will still be able to stake their BUNNY in the original Bunny Pool, just as they do now. The Bunny Pool will continue to distribute the performance fees that have accumulated up to the time of the exploit. This amount is approximately $55M, and will be distributed to stakers over the next 90 days. Note that $55M is roughly equivalent to what the protocol would have distributed through the Bunny Pool over 3 months if our TVL averaged between $2–3bn. This means that, we will distribute all of the performance fees accumulated before the exploit to everyone who stakes BUNNY in the next 90 days.
Value Retained by Original BUNNY Holders (ROV)
7. Second, note that at the time of this announcement, all holders of BUNNY right before the attack — the “Original Bunny Holders” — currently retain a certain amount of value at the current price — the “Retained Original Value” (ROV). The ROV = the number of BUNNY held by the Original Bunny Holders X the market price of BUNNY at the time of this announcement. This amount is approximately equal to 1.3M X $30 = $39M.
Plan for New Tokens, pBUNNY
8. However, we are also issuing a new token to construct a mechanism to compensate the Original Bunny Holders for lost Market Cap (there were zero losses from our Vaults). The new token, Platinum Bunny or pBUNNY, will be distributed by air drop or similar method to all of the Original Bunny Holders, including holders of BUNNY-BNB LP tokens.
Compensation Pool for pBUNNY
9. We will then create a new Compensation Pool that will begin accumulating compensation rewards from four sources to be enumerated further below. All pBUNNY holders will be able to claim their compensation rewards from the Compensation Pool on a frequent, possibly even daily, basis.
Performance Fee Contribution (C1)
10. The first source of contributions to the Compensation Pool is the performance fee. Beginning tomorrow and for the next 90 days, the PancakeBunny performance fee of 30% of protocol yields (the Bunny Distribution) will begin to accumulate in the new Compensation Pool (C1). Based on historical performance, if PancakeBunny TVL averages between $1–2bn over the next 3 months, pBUNNY holders can expect to receive a total of $30M in performance fees through the Compensation Pool
Bunny Team Contribution (C2)
11. The Bunny team will contribute the second source of compensation rewards to the Compensation Pool. Normally, BUNNY is minted to Team Bunny at a rate of 15 BUNNY for every 100 BUNNY that is minted to the community, in exchange for the performance fee of 30%.
Beginning tomorrow, however, Team Bunny will send all of the BUNNY it receives from the protocol to the Compensation Pool (C2).
Recovered Funds Contribution (C3)
12. The third source of compensation consists of any funds that are recovered from the exploit (C3). We are currently working closely with Binance, a number of security teams, and other members of the ecosystem to trace and block the exit of the ETH out of Ethereum.
QFI Token Contribution (C4)
13. The fourth source of compensation consists of new project tokens in our combined lending and swapping protocol codenamed QFI ready to soft launch in approximately 60 days (C4). QFI tokens will be air-dropped 1:1 to pBUNNY holders. The new L1 protocol will offer users the opportunity to generate single asset lending returns like AAVE (Ethereum) and Venus (BSC), while giving them the option to receive much higher concentrated liquidity returns in a specific price range like Uniswap V3.
14. Project QFI will be a next generation lending platform launching in the near future. Initially we didn’t plan to reveal it to the public this early, but we felt it was right to find more ways to reward the users that were affected by the recent exploit. QFI will be a great complement to Bunny and the BSC ecosystem. QFI is necessary because the current disconnect between L1 and L2 protocols has led to significant disruptions in PancakeBunny and other L2 projects, even contributing to the recent exploit. The hacker’s exploitation of vulnerabilities in our code was exacerbated by the low liquidity left in the V1 USDT-BNB pool after the PancakeSwap V2 migration. QFI will allow us to develop code in a fully vertically integrated way, connecting L1 and L2 processes in a way that will allow complete auditing of the entire value chain for all major updates, as well as planning and execution of their implementation.
15. To recap, Team Bunny is taking a snapshot right before the exploit. pBUNNY will be distributed to everyone who held BUNNY at the moment of the exploit. pBunny holders will claim compensation from a Compensation Pool that, for the next 90 days, accumulates contributions from ‘Go Forward’ performance fees, ‘Go Forward’ BUNNY earned by the Team, all amounts recovered from the exploit, and QFI tokens.
16. The final component is a swap of pBUNNY for regular BUNNY at the end of the 90 day period. This will be calculated based on the following formulae:
Total Compensation In Hand at the end of the 90 days (TCIH) = ROV + C1 + C2 + C3 + C4
EXAMPLE: Based on an assumed average TVL of $1–2bn over the 90 day period, recovery of $5M from exploit, ~1.3M BUNNY held by Original Holders prior to exploit, and QFI price = $Z, we can estimate:
TCIH = $39M + $30M + $5M + $5M + 1.3M * $Z
TCIH > $79M
Total Accrued Compensation (TAC) = the BUNNY price immediately prior to the exploit X the number of BUNNY immediately prior to the exploit (excluding the Team’s BUNNY) X 110% bonus multiple (equivalent to ~3.23% monthly interest compounded for 3 months)
EXAMPLE: TAC = ~$150 X ~1.3M X 110% = ~$215M
Total Compensation Pool Shortfall (TCPS) = TAC — TCIH
EXAMPLE: TCPS = $215M — $79M = $136M
Number of BUNNY swapped per pBUNNY (NBS) = TCPS / (market price of BUNNY after 90 days)
EXAMPLE: if market price of BUNNY is $30 after 90 days, then NBS = $136M/$30 = ~4.53
So each pBUNNY would be swapped for 4.53 BUNNY. Then the total number of BUNNY swapped would be ~5.89M new BUNNY.
Total Circulating BUNNY Post-Swap
17. This means Total Amount of BUNNY in circulation post swap (TAB) would be 1.5M + 9.5M + (C1 / average price of BNB over 90 days) * NER + C1 * 13.3% + 5.89M
TAB = 11M + (30M/300) * 12.5 + 30M * 13.3% + 5.89M
TAB = 11M + 125K + 3.99M + 5.89M = ~21M
Plan to Buy Back & Burn
18. In order to control the amount of BUNNY in circulation, Team Bunny will implement aggressive measures to buy back and burn circulating BUNNY, including using Cross Chain fees, Bunny Pot (upcoming new no-loss jackpot feature) fees, and, if necessary, burning all BUNNY emitted to the Team for an optimal amount of time.