Bunny Finance
4 min readMay 20, 2021

Hello Bunny Fam.

Today, there was an economic exploit attack on our Bunny Protocol.

This report includes an in-depth analysis of the attack in its entirety in order to ascertain the nature of the exploit and, to prevent any similar exploits in the future.

Summary

  1. The exploiter staged (and exited) the attack using PancakeSwap (PCS)
  2. By exploiting a difference in PCS pricing, the hacker intentionally manipulated the price of USDT/BNB and Bunny/BNB, acquiring a huge amount of Bunny through the use of Flash Loans.
  3. The exploiter dumped all the Bunny in the market (Ethereum), causing the price of Bunny to plummet
  4. The exploiter then exited the attack by paying back the remaining BNB (by having exploited the price difference from before) on PCS.

Here is a brief report and detailed timeline of what the exploiter carried out from the beginning:

Exploiter’s wallet address: 0xa0ACC61547f6bd066f7c9663C17A312b6Ad7E187

Exploit transaction: https://bscscan.com/tx/0x897c2de73dd55d7701e1b69ffb3a17b0f4801ced88b0c75fe1551c5fcce6a979

May 19, 2021 Thursday

Timeline of attack
Start of attack.

10:31:25 PM +UTC — Deposited 1BNB worth of USDT/BNB on the USDT/BNB Flip Vault in order to stage the attack. Expectedly, a quantity of LP 9.275 is deposited to the exploiter’s contract.

10:34:28 PM +UTC — Exploit executed. (more details below)

10:36:00 PM +UTC — Unusual increase in Bunny price detected. (Reported by Operations Team)

10:45:10 PM +UTC — In order to whitewash / launder the extorted WBNB from the exploit, 114,631BNB was sent to the following address:

0x158c244b62058330f2c328c720b072d8db2c612f

11:18:10 PM +UTC — Officially confirmed as a Flash Loan attack. Paused all deposits/withdrawals to the Vault in order to prevent further attacks.

11:59:55 PM +UTC — From the same address above, about 488,071.8989395982 BUNNY was swapped for about 9,161.3295578776BNB, where a portion of it (327.2930347138 BNB) was further swapped for about 43.2463201179 ETH on PCS via 1inch contract
(0x11111112542d85b3ef69ae05771c2dccff4faa26)

End of attack.

May 21, 2021 Friday

06:30:00 AM +UTC — Restore withdrawal/deposit function to the Vault

Details of the exploit transaction from 10:34:28 PM +UTC are as follows:

  1. Exploiter secured the funds on PancakeSwap (PCS) to stage and carry out the flash loan attack (hereafter termed “flashed”, the whole sequence was done within one, single transaction)
    - Flashed 1,051,687 WBNB to PCS CAKE/BNB
    - Flashed 522,524 WBNB to PCS BUSD/BNB
    - Flashed 210,158 WBNB to PCS ETH/BNB
    - Flashed 133,504 WBNB to PCS BTCB/BNB
    - Flashed 241,021 WBNB to PCS SAFEMOON/BNB
    - Flashed 98,189 WBNB to PCS BELT/BNB
    - Flashed 66,290 WBNB to PCS DOT/BNB
    - Flashed 2,961,750 USDT to ForTube
  2. Exploiter minted 144,445 LP by pairing 7,744BNB and 2,961,750 USDT (from the previous stage, on ForTube) on the PancakeSwap V2 USDT/BNB pool (directly minted using Pair contract).
  3. Swapped 2,315,631 WBNB to 3,826,047 USDT on the PancakeSwap V1 USDT/BNB pool (thereby exploiting the pricing on Version 1 of the PancakeSwap USDT/BNB).
  4. Recalled minted Bunny using getReward. Here, the minted 144,445 LP from step 2) were transferred to BunnyMinter.
  5. By using removeLiquidity on all 144,445 LP tokens, exploiter generated 2,961,750 USDT + 7,744 WBNB (as per pair contract) and, in the process of swap on V1 of PancakeSwap BUNNY/BNB with the exploited price from stage 3, resulting in the issuing of 105,257 BUNNY/BNB tokens using 10,836 BUNNY and 1,156,330 WBNB.
  6. With the newly created BUNNY/BNB from stage 5, BNB Value was calculated to around 2,324,152 BNB and, as a result, issuing 6,972,455 BUNNY
  7. From the 6,972,455 BUNNY, the following happened:
    - 4,880,718 BUNNY exchanged as 2,384,754 BNB on PCS V1 BUNNY/BNB pool
    - 1,394,491 BUNNY exchanged as 56,270 BNB on PSC V2 BUNNY/BNB pool
  8. Returned all payments made using Flash Loan again
    (on the latest PancakeSwap, hereby PCS)
    - Repaid 2,964,119 USDT on ForTube.
    - Repaid 66,463 WBNB on PCS DOT/BNB
    - Repaid 98,445 WBNB on PCS BELT/BNB
    - Repaid 241,528 WBNB on PCS SAFEMOON/BNB
    - Repaid 133,852 WBNB on PCS BTCB/BNB
    - Repaid 210,706 WBNB on PCS ETH/BNB
    - Repaid 523,886 WBNB on PCS BUSD/BNB
    - Repaid 1,054,429 WBNB on PCS CAKE/BNB
    - Remainder of 114,631 WBNB sent to the exploiter’s address (thereby incurring as malicious gains for the exploiter).

We want to thank all the individuals and projects who reached out and helped with pertinent information, and we are continuing to investigate and are in communications with Binance and Etherscan regarding token transfers and other actions.

To speak candidly, we have been eager to roll out new service offerings, such as Cross Chain and other upcoming features — and we are still committed to evolving as a project. Given the gravity of this incident and its impact on the community, we reaffirm our focus to close any further vulnerabilities. Moreover, we are committed to providing a solution by which we can restore the value lost by our community and restore their confidence in the project.

Bunny Finance
Bunny Finance

Written by Bunny Finance

One of the most popular auto-compounding yield aggregators on the Binance Smart Chain. https://pancakebunny.finance/

Responses (2)