The PancakeBunny Bunny Performance Fee Minting Incident Analysis

The root cause: lack of understanding of the dependent smart contracts.

The Exploit

On May 19, 2021, 10:34:28 PM +UTC, with two transactions, the hacker used 2.3M BNB and 2.9M USDT of flash loan and minted 6,972,455 BUNNY token.

As a result of this exploit, the hacker has taken out 114k WBNB and 697k BUNNY.

That’s ~38M Worth of BNB stolen, made the total supply of BUNNY token skyrocketed from 1m to 9m, and crashed the BUNNY price from $160 to $1.6

How?

The exploiter’s actions were as follows:

  1. Added a small number of assets to the Bunny USDT-WBNB Vault (with this tx: https://bscscan.com/tx/0x88fcffc3256faac76cde4bbd0df6ea3603b1438a5a0409b2e2b91e7c2ba3371a).
  2. Borrow 2.3M BNB ($704M) from 6 PancakeSwap pools and 2.96M USDT from ForTube Bank using flash loans.
  3. Added 7.7k BNB and 2.9M USDT liquidity to the USDT-WBNB V2 pool on PancakeSwap while leaving LP tokens in this pool (this is important! this is the key leads to the hack.)
  4. Swapped 2.3M BNB to 3.8m USDT through USDT-WBNB LP V1 Pool (Crash the price of BNB to an extremely low in USDT).
  5. Call getReward with the deposit of Bunny USDT-WBNB Vault from the first step.
  6. Bunny takes 30% of the profit (a very small amount of LP token) and Zaps them into BUNNY-WBNB LP. (With the huge amount of LP left at the pool at step 3, it returned an extremely large amount BUNNY-BNB LP token, see detailed analysis below). As a result, the system minted 7M BUNNY using assets from the first step.
  7. Sold 4.8M BUNNY for 2.3M WBNB and 2.9M USDT, then started to repay flash loans.

Why?

Unlike many other BSC MasterChef-like farms, BUNNY has a special supply mechanism: It takes 30% of the profit from the farming pools as a performance fee and redistributes them to the BUNNY Staking pool.

With a recent upgrade, they made the change that makes the profit token zapped to BUNNY-WBNB LP before sent to the Staking pool.

BunnyMinter Convert profit to BUNNY-WBNB LP and Mint based on the BNB price calculated with the LP amount

The _zapAssetsToBunnyBnb use PancakeSwap to remove the earned LP token and turn the output tokens into BUNNY-WBNB V1 LP token.

However, the removeLiquidity function at PancakeSwap’s router always burns all the LP token in balance.

With the huge amount (worth ~15k BNB) of LP token, the hacker left in the pool at Step 3. The output tokens were 3m USDT and 7.7k BNB.

PCS burn all LP token in balance. not only the amount of liquidity passed as input data.

Then the Zap function swapped the 3m USDT into 2.3M BNB using the v1 Pool. (This is possible because step 4 crashed the price of BNB.)

Then it swapped half of it (1.15M BNB) to 176.9K BUNNY (increase the price of BUNNY by a lot) and then created BUNNY-WBNB V1 LP with the remaining 1.15m BNB and 10.8k BUNNY.

Notice: 176.9k - 10.98k = 166k of BUNNY token still remains in the Zapper contract.

Now we got a huge amount of bunnyBNBAmount to be used to mint the performance fee reward in BUNNY.

BunnyMinter Convert profit to BUNNY-WBNB LP and Mint based on the BNB price calculated with the LP amount

And now the price of the BUNNY-WBNB LP is also much higher than usual. So that the BUNNY reward minted at 3 BUNNY per BNB became higher than usually.

As a result: 7M BUNNY was minted for the hacker.

With most of the BUNNY sold. The hacker has taken out 114k WBNB and 697k BUNNY.

That’s ~38M Worth of BNB stolen, made the total supply of BUNNY token skyrocketed from 1m to 9m, and crashed the BUNNY price from $160 to $1.6

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Donation: 0x227d72Ec9f332292523f64032DD25111676404aA

Pug against Rug