At 10:34 UTC on Thursday, 20 May, Pancake Bunny, a DeFi yield farming aggregator and optimizer built on Binance Smart Chain (BSC) suffered a flash loan attack that exploited the code on the Bunny protocol. Before we get into the details of the hack, some terminology we should familiarize ourselves with:
Flash loan attack: A flash loan is a loan that is made and returned within the timeframe it takes to create a new block on the blockchain. It is a loan that doesn’t require the borrower to put down any collateral. The borrower will quickly flip a profit on the amount and return the initial loan before a new block is formed. In a flash loan attack, the scammer will take the loan in order to manipulate the market and/or exploit software vulnerabilities within the code.
Automated Market Makers (AMMs): While not all decentralized exchanges are AMM platforms, some of the most popular DEX’s are. AMM platforms allow cryptocurrencies to be traded automatically using a programmed liquidity pool rather than a traditional order book, which brings together buyers and sellers.
Liquidity pools: Liquidity refers to how easily one asset may be converted into another without having much price impact. AMM platforms collect funds into a liquidity pool via a smart contract in order to facilitate decentralized trading, lending, and other financial functions. For decentralized exchanges such as Uniswap or PancakeSwap, liquidity pools enable the platforms to operate smoothly.
Liquidity providers and LP tokens: Liquidity providers are incentivized to supply liquidity pools with assets so that tokens may be traded easily on the platform. For example, part of the fees generated through trading within the pool may be used to “payback” liquidity providers. In addition, when liquidity providers contribute assets to a pool, the AMM platform will automatically generate an LP token, which can then also be used in other functions — either on its native platform or on other DeFi apps — so that liquidity providers may receive even greater returns.
Total Value Locked (TVL): Used as the de facto metric to show the growth of decentralized finance, total value locked is the amount of capital that has been deposited into DeFi — often in the form of loan collaterals or liquidity in a trading pool.
What do we know so far?
Contrary to previous reports of $1 billion being stolen from Pancake Bunny, Igor Igamberdiev, research analyst at The Block Crypto, revealed that in fact approximately $45 million (114,000 WBNB) was stolen. The attacker exploited the use of flash loans via PancakeSwap (PCS).
In a series of tweets, Igor broke down the attacker’s actions into six steps, which were confirmed by Pancake Bunny’s post-mortem:
As indicated in Pancake Bunny’s “Go Forward Plan,” all the vaults are safe and no vaults have been breached. However, when the newly minted BUNNY from step 5 flooded the market, the price of BUNNY crashed. A portion of Pancake Bunny’s TVL is in BUNNY, thus — while the vault themselves were not breached — TVL was still lost.Who was hurt from this attack?Primary, holders of BUNNY are the ones who were hurt the most from this incident in two ways:
In its “Go Forward Plan,” Pancake Bunny outlined the steps they’re taking in order to drive the recovery of 1) TVL, 2) market cap, and 3) compensating everyone for their losses as soon as possible.
Flash loans are unique in the sense that borrowers are able to act like a whale in the markets with little to no collateral, thus giving almost anyone the ability to manipulate the market and exploit vulnerabilities within smart contract codes.As with any nascent industry, errors are made at the beginning and the industry will learn from these types of attacks. Systems and infrastructure will then be enforced and strengthened to ensure safe transactions for those using DeFi platforms.