PancakeHunny Performance Fee Minting Attack Analysis

2 min readJun 3, 2021

The Exploit

On Jun 03, about 2 AM UTC, with a lot of Hunny tokens minted out and dumped, the hacker has taken out 38.9 ETH.

A lot of tokens get minted
.. and dumped

“Oh, this looks familiar. Is this a ‘flash..

Let me stop you right there.

No! This is not a Flash Loan attack.

None of the Bunny and Bunny fork attacks is a Flash Loan attack. They are Performance Fee Minting Attacks. They just often get amplified/made easier with Flash Loans.

These attacks are made possible by one or more logic bugs in the Performance Fee Minting process.

Dear devs and concerned users, don’t say “how do you/us prevent flash loan attacks” anymore. There is nothing to do with flash loans, flash loans are all cool. Take care of your own shit first.

Root Cause

As we all know, bugs are created out of sloppy code. How does sloppy code looks like you ask?

Let’s take a look at the HunnyMinter:

Using all the wallet balance to make HUNNYBNB LP, and then uses it to calculate the profit hunnyBnbAmount, which can be easily tampered with by just sending the tokens to the minter contract.

The core issue is: it’s taking all the wallet balance to create the LP tokens which will later be used for profit calculation and minting. Same old bug as the two of the previous hacks.

Again, it’s not a flash loan attack. Stop using that fancy flashy word already, and this time, the hacker didn’t even bother using a flash loan.

Devs out there, just stop trying to fight against flash loans. (Pro Tips: you can’t.)

Fight against sloppy code instead. BTW, WatchPug does provide an audit service, if you are interested, ping us on Telegram.

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Donation: 0x227d72Ec9f332292523f64032DD25111676404aA