PolyBUNNY Post-Mortem & Compensation

Hello Bunny Fam,

As many of you are aware, there was an economic exploit of polyBUNNY outside the polygon.pancakebunny.finance platform, resulting in the minting of 2.1M polyBUNNY and a drop in the price of polyBUNNY to just over $2 at Jul-16–2021 07:17:11 PM +UTC.

First and foremost, please be rest assured:

  1. All vaults on polygon.pancakebunny are safe;
  2. The vulnerability has been addressed and our Sushi Vaults have reopened;
  3. All BSC PancakeBunny vaults are safe;
  4. BSC BUNNY has in no way been affected;
  5. Team Bunny will be giving — to everyone who held polyBUNNY at the time of the exploit — a share of the Team’s MND

We are currently working with a number of key actors within the Polygon ecosystem and across blockchains to track the funds that resulted from the exploit and to identify the attacker if possible.

Please find below 1) our post-mortem of the attack and 2) our plan for compensation, and please stay tuned for further updates. Thank you for your patience.

1. Post-Mortem Summary: Profit Inflation

1.1. Exploit Method

  • First, the attacker deposited 0.000000009416941138 SLP (~19,203 USD) into the polygon.pancakebunny USDT-USDC Vault.
  • Next, the attacker directly deposited 0.000023532935903931 SLP (~47,990,975 USD) to the USDT-USDC MiniChefV2 contract on SushiSwap.
  • This generated a performance fee of 0.000007006743943544 SLP (~14,284,950 USD) and,
  • Minted polyBUNNY to the attacker in the amount of 2,136,672.974656942582870591.
  • Finally, the attacker repaid AAVE’s flashloan and exited the attack gaining 1,281.702952074137533313 ETH.

1.2. Attack TX Log

1.3. Attacker’s Address

1.4. Post-Exploit Resolution, Reopening of Sushi Vaults

2. Post-Exploit Compensation

2.1. Who is eligible?

2.2. How will I be compensated?

2.3. What is MND, and how much is MND worth?

2.4. How much will the total compensation be, and how many MND will I get?

3. Closing Thoughts

The way get more cakes