Earlier today, DeFi yield farming aggregator, Pancake Bunny, suffered a flash loan attack with the attacker making off with approximately $45 million in a matter of seconds.
The kicker? Nothing was breached. The attacker took advantage of two things: flash loans (an innovation in DeFi) and software vulnerabilities on a DeFi platform.
At 10:34 UTC on Thursday, 20 May, Pancake Bunny, a DeFi yield farming aggregator and optimizer built on Binance Smart Chain (BSC) suffered a flash loan attack that exploited the code on the Bunny protocol. Before we get into the details of the hack, some terminology we should familiarize ourselves with:
Flash loan attack: A flash loan is a loan that is made and returned within the timeframe it takes to create a new block on the blockchain. It is a loan that doesn’t require the borrower to put down any collateral. The borrower will quickly flip a profit on the amount and return the initial loan before a new block is formed. In a flash loan attack, the scammer will take the loan in order to manipulate the market and/or exploit software vulnerabilities within the code.
Automated Market Makers (AMMs): While not all decentralized exchanges are AMM platforms, some of the most popular DEX’s are. AMM platforms allow cryptocurrencies to be traded automatically using a programmed liquidity pool rather than a traditional order book, which brings together buyers and sellers.
Liquidity pools: Liquidity refers to how easily one asset may be converted into another without having much price impact. AMM platforms collect funds into a liquidity pool via a smart contract in order to facilitate decentralized trading, lending, and other financial functions. For decentralized exchanges such as Uniswap or PancakeSwap, liquidity pools enable the platforms to operate smoothly.
Liquidity providers and LP tokens: Liquidity providers are incentivized to supply liquidity pools with assets so that tokens may be traded easily on the platform. For example, part of the fees generated through trading within the pool may be used to “payback” liquidity providers. In addition, when liquidity providers contribute assets to a pool, the AMM platform will automatically generate an LP token, which can then also be used in other functions — either on its native platform or on other DeFi apps — so that liquidity providers may receive even greater returns.
Total Value Locked (TVL): Used as the de facto metric to show the growth of decentralized finance, total value locked is the amount of capital that has been deposited into DeFi — often in the form of loan collaterals or liquidity in a trading pool.
What do we know so far?
Contrary to previous reports of $1 billion being stolen from Pancake Bunny, Igor Igamberdiev, research analyst at The Block Crypto, revealed that in fact approximately $45 million (114,000 WBNB) was stolen. The attacker exploited the use of flash loans via PancakeSwap (PCS).
Today, BUNNY tokens worth $1B+ were minted from Bunny Finance on BSC, resulting in $40M+ was stolen:
– 114k WBNB ($40M)
– 697k BUNNY
For this reason, the BUNNY price fell from $146 to $6👇 pic.twitter.com/BBVfWOHgZH
— Igor Igamberdiev (@FrankResearcher) May 20, 2021
In a series of tweets, Igor broke down the attacker’s actions into six steps, which were confirmed by Pancake Bunny’s post-mortem:
At the moment, the attacker has already withdrawn 10.1k ETH ($23.5M) to Ethereum through the Nerve bridge, and another $14M is on their BSC address. pic.twitter.com/h9taC5bcPj
— Igor Igamberdiev (@FrankResearcher) May 20, 2021
- Deposited 1BNB worth of USDT to the Bunny USDT-WBNB Vault in order to stage the exploit. 9.275 LPs were generated as a result of this deposit.
- Borrowed 2.3M BNB ($704 million) from seven PancakeSwap pools and 2.9M USDT from ForTube Bank using flash loans.
- Deposited an additional 7,700 BNB and 2.9M USDT of liquidity to the PancakeSwap USDT-WBNB pool, along with the LP tokens generated from step 1.
- Traded 2.3M BNB to USDT through the PancakeSwap USDT-WBNB pool, flooding the pool with BNB and significantly decreasing the amount of USDTs in the pool.
- With the LP in the PancakeSwap USDT-WBNB pool, Bunny Finance believed that the exploiter added a large amount of BNB into the system, triggering the system to mint 7M BUNNY ($1 billion).
- Exploiter then sold 4.8M BUNNY for 2.3M WBNB and 2.9M USDT, which it then used to repay the flash loans borrowed in step 2.
As indicated in Pancake Bunny’s “Go Forward Plan,” all the vaults are safe and no vaults have been breached. However, when the newly minted BUNNY from step 5 flooded the market, the price of BUNNY crashed. A portion of Pancake Bunny’s TVL is in BUNNY, thus — while the vault themselves were not breached — TVL was still lost.
Who was hurt from this attack?
Primary, holders of BUNNY are the ones who were hurt the most from this incident in two ways:
- With 7 million BUNNY tokens created out of thin air, existing tokens were diluted, driving the price of BUNNY down.
- Due to the sale of BUNNY tokens in the market, the liquidity of BUNNY — the ease at which BUNNY may be sold on the market — was completely zapped.
In its “Go Forward Plan,” Pancake Bunny outlined the steps they’re taking in order to drive the recovery of 1) TVL, 2) market cap and 3) compensating everyone for their losses as soon as possible.
What does this mean for flash loans, flash loan attacks, and DeFi platforms?
Flash loans are unique in the sense that borrowers are able to act like a whale in the markets with little to no collateral, thus giving almost anyone the ability to manipulate the market and exploit vulnerabilities within smart contract codes.
As with any nascent industry, errors are made at the beginning and the industry will learn from these types of attacks. Systems and infrastructure will then be enforced and strengthened to ensure safe transactions for those using DeFi platforms.