The PancakeBunny Bunny Performance Fee Minting Incident Analysis

The Exploit

On May 19, 2021, 10:34:28 PM +UTC, with two transactions, the hacker used 2.3M BNB and 2.9M USDT of flash loan and minted 6,972,455 BUNNY token.

How?

The exploiter’s actions were as follows:

  1. Borrow 2.3M BNB ($704M) from 6 PancakeSwap pools and 2.96M USDT from ForTube Bank using flash loans.
  2. Added 7.7k BNB and 2.9M USDT liquidity to the USDT-WBNB V2 pool on PancakeSwap while leaving LP tokens in this pool (this is important! this is the key leads to the hack.)
  3. Swapped 2.3M BNB to 3.8m USDT through USDT-WBNB LP V1 Pool (Crash the price of BNB to an extremely low in USDT).
  4. Call getReward with the deposit of Bunny USDT-WBNB Vault from the first step.
  5. Bunny takes 30% of the profit (a very small amount of LP token) and Zaps them into BUNNY-WBNB LP. (With the huge amount of LP left at the pool at step 3, it returned an extremely large amount BUNNY-BNB LP token, see detailed analysis below). As a result, the system minted 7M BUNNY using assets from the first step.
  6. Sold 4.8M BUNNY for 2.3M WBNB and 2.9M USDT, then started to repay flash loans.

Why?

Unlike many other BSC MasterChef-like farms, BUNNY has a special supply mechanism: It takes 30% of the profit from the farming pools as a performance fee and redistributes them to the BUNNY Staking pool.

BunnyMinter Convert profit to BUNNY-WBNB LP and Mint based on the BNB price calculated with the LP amount
PCS burn all LP token in balance. not only the amount of liquidity passed as input data.
BunnyMinter Convert profit to BUNNY-WBNB LP and Mint based on the BNB price calculated with the LP amount

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store