PolyBUNNY Post-Mortem & Compensation

  1. All vaults on polygon.pancakebunny are safe;
  2. The vulnerability has been addressed and our Sushi Vaults have reopened;
  3. All BSC PancakeBunny vaults are safe;
  4. BSC BUNNY has in no way been affected;
  5. Team Bunny will be giving — to everyone who held polyBUNNY at the time of the exploit — a share of the Team’s MND

1. Post-Mortem Summary: Profit Inflation

1.1. Exploit Method

  • First, the attacker deposited 0.000000009416941138 SLP (~19,203 USD) into the polygon.pancakebunny USDT-USDC Vault.
  • Next, the attacker directly deposited 0.000023532935903931 SLP (~47,990,975 USD) to the USDT-USDC MiniChefV2 contract on SushiSwap.
  • This generated a performance fee of 0.000007006743943544 SLP (~14,284,950 USD) and,
  • Minted polyBUNNY to the attacker in the amount of 2,136,672.974656942582870591.
  • Finally, the attacker repaid AAVE’s flashloan and exited the attack gaining 1,281.702952074137533313 ETH.

1.2. Attack TX Log

1.3. Attacker’s Address

1.4. Post-Exploit Resolution, Reopening of Sushi Vaults

2. Post-Exploit Compensation

2.1. Who is eligible?

2.2. How will I be compensated?

2.3. What is MND, and how much is MND worth?

2.4. How much will the total compensation be, and how many MND will I get?

3. Closing Thoughts



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bunny Finance

Bunny Finance


One of the most popular auto-compounding yield aggregators on the Binance Smart Chain. https://pancakebunny.finance/