PolyBUNNY Post-Mortem & Compensation

  1. All vaults on polygon.pancakebunny are safe;
  2. The vulnerability has been addressed and our Sushi Vaults have reopened;
  3. All BSC PancakeBunny vaults are safe;
  4. BSC BUNNY has in no way been affected;
  5. Team Bunny will be giving — to everyone who held polyBUNNY at the time of the exploit — a share of the Team’s MND

1. Post-Mortem Summary: Profit Inflation

1.1. Exploit Method

  • First, the attacker deposited 0.000000009416941138 SLP (~19,203 USD) into the polygon.pancakebunny USDT-USDC Vault.
  • Next, the attacker directly deposited 0.000023532935903931 SLP (~47,990,975 USD) to the USDT-USDC MiniChefV2 contract on SushiSwap.
  • This generated a performance fee of 0.000007006743943544 SLP (~14,284,950 USD) and,
  • Minted polyBUNNY to the attacker in the amount of 2,136,672.974656942582870591.
  • Finally, the attacker repaid AAVE’s flashloan and exited the attack gaining 1,281.702952074137533313 ETH.

1.2. Attack TX Log

1.3. Attacker’s Address

1.4. Post-Exploit Resolution, Reopening of Sushi Vaults

2. Post-Exploit Compensation

2.1. Who is eligible?

2.2. How will I be compensated?

2.3. What is MND, and how much is MND worth?

2.4. How much will the total compensation be, and how many MND will I get?

3. Closing Thoughts

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bunny Finance

Bunny Finance

4.8K Followers

One of the most popular auto-compounding yield aggregators on the Binance Smart Chain. https://pancakebunny.finance/