Binance Smart Chain's PancakeBunny protocol exploited, $45 million drained

Quick Take

  • Binance Smart Chain’s PancakeBunny protocol was exploited using flash loans.
  • The attacker used the exploit to mint extra tokens and take home a profit of $45 million.
  • The price of BUNNY collapsed by nearly 100%.

PancakeBunny Finance, a decentralized finance (DeFi) protocol based on the Binance Smart Chain, was exploited late Wednesday and saw $45 million drained from its ecosystem.

The attacker used an exploit to mint millions of bunny tokens and sold the majority of them for BNB, leaving liquidity providers short. While this didn't affect the protocol's vaults directly, it sank the price of bunny tokens, affecting all holders.

Here's how the attack happened

The exploitation occured because PancakeBunny had a bug regarding how the protocol calculates the number of new bunny tokens to be minted, according to The Block Research's Igor Igamberdiev. Bunny (BUNNY) is the native governance token of the protocol.

The calculation function for minting new tokens depended on the price of the BNB-USDT pool. If the ratio of the BNB or USDT reserves of this pool were higher, the pool’s price would fall — and vice versa. In other words, the price of this pool could be manipulated based on the reserves of BNB and USDT.

The exploiter took advantage of this bug by using flash loans. They took eight flash loans, seven from PancakeSwap pools and one from ForTube Bank, a DeFi lending protocol. The attacker borrowed 2.3 million BNB (worth $704 million) and 2.9 million USDT ($2.9 million), for a total of nearly $707 million.

These flash loans were then used to manipulate the price of BNB in the BNB-USDT pool. The attacker used a small portion of BNB and USDT from the flash loans to provide liquidity to that pool.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

They then swapped all the remaining BNB tokens from the flash loans in the pool to manipulate the reserves in the pool, minting 7 million bunny tokens in the process.

The attacker then sold most of the minted bunny tokens for BNB, resulting in a price crash of nearly 100% for bunny. The token fell from $146 to $0.9 following the attack. At the time of writing, bunny is trading at around $28, according to CoinGecko.

Source: DEXTools

The price crash means bunny holders have suffered losses due to the exploitation. The PancakeBunny protocol tweeted that it is “working on a reimbursement plan.”

In the process, the exploiter pocketed $45 million. They swapped the minted bunny for BNB. Then they used most of the BNB to pay back the eight flash loans. The remaining bunny and BNB resulted in a profit for the attacker.

The attacker then went on to swap some of the BNB to the anyETH token via Nerve Finance’s bridge and transferred it to an Ethereum address. At the time of writing, $41.4 million is sitting on the attacker’s Ethereum address, and $4 million is on their Binance Smart Chain address.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.