Earlier today, Pancake Bunny, a DeFi high-yield agricultural aggregator, suffered a short loan attack. The attacker lost approximately $45 million in just a few seconds.
Kicker? Nothing is violated. The attackers took advantage of two things: borrowing (an innovation of DeFi) and software vulnerabilities on the DeFi platform.
At 10:34 UTC on May 20th (Thursday), Pancake Bunny, a DeFi income agricultural aggregator and optimizer built on Binance Smart Chain (BSC), suffered a fast lending attack that used the code in the Bunny protocol . Before delving into the details of hacks, we should be familiar with some terms:
Flash loan attack: A flash purchase loan is a loan that is generated and repaid within the time frame required to create a new block on the blockchain. This is a loan and does not require the borrower to lay down any collateral. The borrower will quickly profit from this amount and refund the initial loan before forming a new block. In a quick loan attack, the scammer will take the loan to manipulate the market and/or exploit software vulnerabilities in the code.
Automatic market maker (AMM): Although not all decentralized exchanges are AMM platforms, some of the most popular DEXs are still. The AMM platform allows the use of programmed liquidity pools instead of a traditional order book that gathers buyers and sellers to automate cryptocurrency transactions.
Liquidity Pool: Liquidity refers to how easy it is to convert one asset into another without having too much price impact. The AMM platform collects funds into a liquidity pool through smart contracts to facilitate decentralized transactions, lending and other financial functions. For decentralized exchanges such as Uniswap or PancakeSwap, the liquidity pool allows the platform to operate smoothly.
Liquidity providers and LP tokens: Encourage liquidity providers to provide assets to the liquidity pool so that tokens can be easily traded on the platform. For example, part of the fees incurred through intra-pool transactions can be used to “repay” liquidity providers. In addition, when a liquidity provider invests assets in the asset pool, the AMM platform will automatically generate an LP token, and then the LP token can also be used for other functions (on its native platform or other DeFi applications) for liquidity Sex providers can even receive higher returns.
Total Value Lock (TVL): The locked total value is used as a factual indicator to show the growth of decentralized finance, usually in the form of loan collateral or liquidity in the trading pool, and the amount of capital that has been deposited in DeFi.
What do we know so far?
Contrary to the previously reported $1 billion stolen by Pancake Bunny, Igor IgamberdievResearch analysts at The Block Crypto revealed that about 45 million U.S. dollars (114,000 WBNB) were actually stolen. The attacker took advantage of the fast loan through PancakeSwap (PCS).
Today, BUNNY tokens worth more than $1B+ were minted from Bunny Finance on BSC, resulting in the theft of $40M+:
– 114k WBNB ($40M)
– 697k rabbit
As a result, the price of BUNNY fell from US$146 to US$6 pic.twitter.com/BBVfWOHgZH
-Igor Igamberdiev (@FrankResearcher) May 20, 2021
In a series of tweets, Igor decomposed the attacker’s behavior into six steps, which was confirmed by Pancake Bunny. Autopsy:
At present, the attacker has withdrawn 10.1k ETH ($23.5 million) from Ethereum through the neural bridge, and another $14 million is on its BSC address. pic.twitter.com/h9taC5bcPj
-Igor Igamberdiev (@FrankResearcher) May 20, 2021
- Deposit USDT worth 1BNB into the rabbit USDT-WBNB vault for attack. Due to this deposition, 9.275 LPs were generated.
- Used emergency loans to borrow 2.3 million BNB ($704 million) from 7 PancakeSwap pools and 2.9 million USDT from ForTube Bank.
- Deposit 7,700 BNB and 2.9 million USDT of liquidity into the PancakeSwap USDT-WBNB pool, as well as the LP tokens generated in step 1.
- Through the PancakeSwap USDT-WBNB pool, 2.3 million BNB was traded to USDT, which flooded the funds in the pool with BNB and significantly reduced the amount of USDT in the pool.
- With the help of LPs in the PancakeSwap USDT-WBNB pool, Bunny Finance believes that the exploiter added a large amount of BNB to the system, which triggered the system, causing the system to raise 7 million BUNNY ($1 billion).
- Then, Exploiter sold 4.8 million pounds for $2.3 million WBNB and $2.9 million USDT, which were then used to repay the fast loan borrowed in step 2.
As Pancake Bunny’s “Forward plan“, all vaults are safe and no vault is violated. However, when the newly minted BUNNY flooded the market in step 5, the price of BUNNY plummeted. Part of Pancake Bunny’s TVL is located in BUNNY, so-despite the vault It is undamaged-TVL is still lost.
Who was hurt by this attack?
The biggest victims in this incident were BUNNY’s main victims:
- 7 million BUNNY tokens were created out of thin air, and the existing tokens were diluted, causing the price of BUNNY to fall.
- Due to the sale of BUNNY tokens in the market, the liquidity of BUNNY (that is, how easy it is for BUNNY to sell in the market) has been completely blocked.
Pancake Bunny outlined the measures they have taken to promote 1) TVL, 2) market capitalization and 3) compensation for everyone’s losses as quickly as possible in their “plan forward”.
What does this mean for fast loans, fast loan attacks, and DeFi platforms?
The unique feature of short-term loans is that borrowers can be like whales in the market with almost no collateral, so almost everyone can manipulate the market and exploit vulnerabilities in the smart contract code.
As with any emerging industry, mistakes will be made at the beginning, and the industry will learn from these types of attacks. Then the system and infrastructure will be strengthened to ensure the security of transactions using the DeFi platform.