PolyBUNNY Post-Mortem & Compensation

Hello Bunny Fam,

As many of you are aware, there was an economic exploit of polyBUNNY outside the polygon.pancakebunny.finance platform, resulting in the minting of 2.1M polyBUNNY and a drop in the price of polyBUNNY to just over $2 at Jul-16–2021 07:17:11 PM +UTC.

First and foremost, please be rest assured:

1. All vaults on polygon.pancakebunny are safe;
2. The vulnerability has been addressed and our Sushi Vaults have reopened;
3. All BSC PancakeBunny vaults are safe;
4. BSC BUNNY has in no way been affected;
5. Team Bunny will be giving — to everyone who held polyBUNNY at the time of the exploit — a share of the Team’s MND

We are currently working with a number of key actors within the Polygon ecosystem and across blockchains to track the funds that resulted from the exploit and to identify the attacker if possible.

Please find below 1) our post-mortem of the attack and 2) our plan for compensation, and please stay tuned for further updates. Thank you for your patience.

1. Post-Mortem Summary: Profit Inflation

The attacker made a small deposit in one of our Bunny Vaults and at the same time, made a deposit of large value directly to MiniChefV2 (SushiSwap) and then called the function “withdrawAll” to execute the attack with the amount deposited in the MiniChefV2 as interest.

1.1. Exploit Method

The attacker followed the following steps to exploit the polyBUNNY minter:

• First, the attacker deposited 0.000000009416941138 SLP (~19,203 USD) into the polygon.pancakebunny USDT-USDC Vault.
• Next, the attacker directly deposited 0.000023532935903931 SLP (~47,990,975 USD) to the USDT-USDC MiniChefV2 contract on SushiSwap.
• This generated a performance fee of 0.000007006743943544 SLP (~14,284,950 USD) and,
• Minted polyBUNNY to the attacker in the amount of 2,136,672.974656942582870591.
• Finally, the attacker repaid AAVE’s flashloan and exited the attack gaining 1,281.702952074137533313 ETH.

1.2. Attack TX Log

https://polygonscan.com/tx/0x25e5d9ea359be7fc50358d18c2b6d429d27620fe665a99ba7ad0ea460e50ae55

1.3. Attacker’s Address

https://polygonscan.com/address/0xa6021d8c36b2de6ceb4fe281b89d37d2be321431

1.4. Post-Exploit Resolution, Reopening of Sushi Vaults

We have added the function “total balance state” to our Sushi Vaults ro eliminate profit inflation. Please see https://www.diffchecker.com/Fo1mcQKL

2. Post-Exploit Compensation

2.1. Who is eligible?

Everyone who held polyBUNNY at the time of the exploit, including polyBUNNY-ETH and polyBUNNY-QUICK, is eligible to participate in the Compensation program. This means that the Team will verify all of the wallet addresses that held polyBUNNy (whether in token form or as part of an LP pair) during the exploited block (i.e. block number 16933434 — https://polygonscan.com/block/16933434).

2.2. How will I be compensated?

Everyone who held polyBUNNY at the time of the exploit will receive MND tokens from the Team’s share of MND.

2.3. What is MND, and how much is MND worth?

MND is the fixed-volume utility token associated with the Mound (MND) Vault. The Bunny Community has contributed nearly 2M BUNNY to the Mound (MND) Vault, and the Team has/will contribute(d) 1M BUNNY, 1M polyBUNNY, 100M QBT, a portion of all future project tokens, and a share of all future fees from fee-based products (e.g. Multiplexer). The final price of MND will be set at the close of the Community commitment period in a little over 1 week and will be determined by the total value of the assets committed to the Mound (MND) Vault.

2.4. How much will the total compensation be, and how many MND will I get?

Team Bunny will distribute a total of $2.4M in MND tokens as total compensation to polyBUNNY holders. This amount corresponds to the amount that was exploited by the attacker. The number of MND tokens you will receive depends on the price of MND. Suppose the final value (i.e. the total value of assets committed to the Vault by 26 July) in the Mound (MND) Vault is $50M and 1M MND is minted. Then each MND would be worth $50, and all of the polyBUNNY holders would receive 2.4M/50 = 48,000 MND in total. And you would get a number proportional to the size of your bag of polyBUNNY vs. the total number of polyBUNNY prior to the exploit.

3. Closing Thoughts

As ever, Bunny Fam, we remain profoundly grateful for your trust and support. We deeply regret this incident, and will do our best to restore the upward trajectory of polyBUNNY. In the meantime, the Team is directly compensating everyone who possessed polyBUNNY at the time of the exploit in the amount of $2.4M, or roughly the amount exploited by the attacker. Thank you!