PRIORITIZING SECURITY: MULTI-LAYER CODE REVIEW WITH IMMUNEFI

Bunny Finance
3 min readJul 21, 2021

--

Hello Bunny Fam,

In response to the recent exploit, Team Bunny is slowing the pace of its product releases to make security its top priority. Our prior focus was on expanding the PancakeBunny ecosystem and injecting value into the PancakeBunny Community as quickly as possible in order to speed the recovery of our services. However, we have learned from an extensive review of the processes leading to the recent exploit that we must revise our development and implementation practices to create the strongest security regime in Defi.

At a high level, our security regime for new platforms will consist of the following steps:

  1. Completion of contracts and release on testnet
  2. Submission of contracts for comprehensive audits
  3. Implementation of aggressive pre-launch bug bounty program
  4. Completion of audits
  5. Resolution of issues identified by audits and bounty program
  6. Launch on mainnet

1. Aggressive Bounty Programs with ImmuneFi, the Number 1 Bounty Platform

The PancakeBunny bounty program has been live for 3 weeks on ImmuneFi at https://immunefi.com/bounty/pancakebunny/. We have also initiated an aggressive bounty program for polygon.pancakebunny.finance at https://www.immunefi.com/bounty/polybunny.

Qubit is the first new product release that will follow our revised security protocol. Qubit is live on the BSC Testnet, our audit is scheduled to be completed in early September, and we have initiated our pre-launch bounty program with ImmuneFi here: https://www.immunefi.com/bounty/qubit.

2. Multi-Layered Code Review for Maximum Security

Yield aggregation protocols have complex interactions with external platforms, which make it even more important to conduct code review from multiple sources. Team Bunny is now building its internal resources to be able to dedicate engineers exclusively to review code and external interactions. We are also adding a second layer of code review by committing to holding the release of new products and features until comprehensive audits are fully complete. This process can add weeks to the release roadmap, and we regret deeply that our desire to deliver ecosystem value in an extremely tight timeframe led us to choose to conduct audits and the beta release of Polygon.PancakeBunny simultaneously.

But as the multitude of attacks on Defi projects in recent months has revealed, internal code review and audits by well-established groups are not always sufficient — some of the projects that fell to flash loan attacks had been audited, and it has become apparent that the extra layer of protection provided by audits alone is insufficient, especially as many vulnerabilities can be exacerbated by changes in the ecosystem such as the dislocations caused by the Venus and PancakeSwap migrations earlier this year.

Therefore Team Bunny is fully committed to working with ImmuneFi to develop an aggressive bounty program to be initiated pre-launch, before projects go live in beta service. One of ImmuneFi’s greatest features is their approach to mobilizing the whitehat community by coordinating with project teams a rewards program that is commensurate with the substantial amount of time and energy that whitehats must invest in reviewing code, testing possible attack vectors, and reporting actionable results to development teams. Another important feature of ImmuneFi’s approach is using the bounty structure to convert potential malicious actors into whitehats that are appropriately and lucratively rewarded for their efforts to ensure the longevity and success of the Great Defi Experiment.

3. Concluding Remarks

Bunny Fam, we here at Team Bunny deeply regret the exploit and its impact on the Community. We understand that we need to show the Community a great deal of progress to regain your trust, and we are fully committed to making every possible effort to do so. We have reviewed the flaws in our process as we tried to expand the ecosystem to hasten PancakeBunny’s recovery, and we believe that as we build upon our new launch protocols, we have taken the first steps towards building the strongest security regime in all of Defi. Thank you, as always for your steadfast support, and remember, as always, Keep Calm and HOP ON!

--

--

Bunny Finance

One of the most popular auto-compounding yield aggregators on the Binance Smart Chain. https://pancakebunny.finance/