User reservations were not affected, but the value of the token was.
The company announced improvements to the code and a loss reimbursement plan.
The decentralized finance platform (DeFi) PancakeBunny Finance, which is based on the Binance Smart Chain protocol, was exploited this Wednesday, May 19. The “attack” caused losses of USD 45 million to the ecosystem. Pancake Bunny (BUNNY), the platform’s token, went from worth $ 146 to $ 9 in less than an hour.
The author of the fact exploited a vulnerability to create millions of PancakeBunny (BUNNY) tokens and then he sold almost all of them in exchange for Binance Coin (BNB). While this did not affect the reserves directly, it did produce a steep decline in the price of the token, thus affecting all of its holders.
In the midst of all this, the platform had statement on your Twitter account that it had frozen all the deposits – enabled again in the early hours of Friday, May 21 – and that it was working on a “repayment plan” for its users.
Subsequently, the PancakeBunny team announced in a publication on Medium the creation of a new pBunny token, which in 90 days can be exchanged for BUNNY. In addition, they reported that made changes to the platform code to prevent this type of attack in the future and that they will compensate for the surplus of the token in circulation through an “aggressive buyback strategy”, a possible burning of tokens and other related tactics.
PancakeBunny is among the most popular DeFi, with a value locked on the platform totaling more than $ 1.5 billion, according to its official site. This figure would place it in the top 15 in this regard according to DeFipulse data.
How was the exploitation carried out?
Specifically, the maneuver was based on a bug that the platform had for the calculation of the creation of new Pancake Bunny tokens, which is used for governance in the protocol. Thus, according to The Block, this calculation depends on the value of the BNB – USDT (Tether) pool, which can be manipulated depending on the reserves of both cryptocurrencies.
The criminal took advantage of this flaw by using flash loans (flash loans) of up to 2.3 million BNB (close to USD 704 million) and 2.9 million USDT (equivalent to almost the same amount in dollars, given that it is a stablecoin). In total, eight loans were requested: seven from PancakeSwap, a decentralized exchange, and one from ForTube Bank, another DeFi that provides this type of service.
With all this flow of funds, the fraudster manipulated the price of BNB in the BNB – USDT pool by providing liquidity. Then, the specialist explains, he exchanged all the remaining BNB of the loans to manipulate the pool’s reserves, thereby creating seven million BUNNY tokens.
Finally, the attacker sold almost all the tokens created in exchange for BNB, which produced a near 100% drop in the value of the token. In the transactions, he also included a private note: «ArentFlashloansEaritating»(‘Aren’t flash loans irritating?’ Added to a play on words alluding to the term bunny —’rabbit’—, by the name of the platform).
Beyond the resounding drop, which even reached below USD 10, at the close of this note BUNNY was trading at USD 55.65, according to its own website. Likewise, its market capitalization amounts to USD 438 million.
With this fact, the DeFi add a new attack to all those suffered in 2021. As CriptoNoticias reported at the end of April, in the first four months of the year the amount violated in this type of platforms already amounted to more than USD 41 million, although that figure continues to rise.