Hello Bunny Fam.

Today, there was an economic exploit attack on our Bunny Protocol.

This report includes an in-depth analysis of the attack in its entirety in order to ascertain the nature of the exploit and, to prevent any similar exploits in the future.

Summary

Here is a brief report and detailed timeline of what the exploiter carried out from the beginning:

Exploiter’s wallet address: 0xa0ACC61547f6bd066f7c9663C17A312b6Ad7E187

Exploit transaction: https://bscscan.com/tx/0x897c2de73dd55d7701e1b69ffb3a17b0f4801ced88b0c75fe1551c5fcce6a979

May 19, 2021 Thursday

Timeline of attack
Start of attack.

10:31:25 PM +UTC — Deposited 1BNB worth of USDT/BNB on the USDT/BNB Flip Vault in order to stage the attack. Expectedly, a quantity of LP 9.275 is deposited to the exploiter’s contract.

10:34:28 PM +UTC — Exploit executed. (more details below)

10:36:00 PM +UTC — Unusual increase in Bunny price detected. (Reported by Operations Team)

10:45:10 PM +UTC — In order to whitewash / launder the extorted WBNB from the exploit, 114,631BNB was sent to the following address:

0x158c244b62058330f2c328c720b072d8db2c612f

11:18:10 PM +UTC — Officially confirmed as a Flash Loan attack. Paused all deposits/withdrawals to the Vault in order to prevent further attacks.

11:59:55 PM +UTC — From the same address above, about 488,071.8989395982 BUNNY was swapped for about 9,161.3295578776BNB, where a portion of it (327.2930347138 BNB) was further swapped for about 43.2463201179 ETH on PCS via 1inch contract
(0x11111112542d85b3ef69ae05771c2dccff4faa26)

End of attack.

May 21, 2021 Friday

06:30:00 AM +UTC — Restore withdrawal/deposit function to the Vault

Details of the exploit transaction from 10:34:28 PM +UTC are as follows:

We want to thank all the individuals and projects who reached out and helped with pertinent information, and we are continuing to investigate and are in communications with Binance and Etherscan regarding token transfers and other actions.

To speak candidly, we have been eager to roll out new service offerings, such as Cross Chain and other upcoming features — and we are still committed to evolving as a project. Given the gravity of this incident and its impact on the community, we reaffirm our focus to close any further vulnerabilities. Moreover, we are committed to providing a solution by which we can restore the value lost by our community and restore their confidence in the project.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bunny Finance

Bunny Finance

One of the most popular auto-compounding yield aggregators on the Binance Smart Chain. https://pancakebunny.finance/