Slow Mist: Analysis of PancakeBunny being hacked

Starting at around 6:35 on May 20, PancakeBunny, the DeFi revenue aggregator on Binance’s smart chain, crashed from $240, once it fell below $2, and the highest drop was over 99% at one time.

In response to this, PancakeBunny said that it was attacked by lightning loans from outsiders and lost a total of 114,631 BNB and 697,245 BUNNY, which is approximately 42 million US dollars at the current price.

To put it simply, hackers used PancakeSwap to borrow a large amount of BNB, and then continued to manipulate USDT/BNB and BUNNY/BNB prices, thereby obtaining a large amount of BUNNY and selling it, resulting in a flash crash of BUNNY price, and finally the hacker exchanged BNB back through PancakeSwap.

The SlowMist security team also conducted a detailed analysis of the hacked incident, as follows:

The attacker first initiates a transaction, uses 0.5 WBNB and about 189 USDT to add liquidity in PancakeSwap and obtains the corresponding LP, and then mortgages the LP to the VaultFlipToFlip contract of the PancakeBunny project.

After the LP mortgage is completed, the attacker initiates another transaction again. In this transaction, the attacker first borrows a huge amount of WBNB tokens from the multiple liquidity pools of PancakeSwap and borrows a huge amount of WBNB tokens from the Fortube project. The module lends a certain amount of USDT tokens. Then use all the borrowed USDT tokens and some WBNB tokens to add liquidity to PancakeSwap’s WBNB-USDT pool, and keep the obtained LP in the WBNB-USDT pool.

Since the attacker has already pledged in the VaultFlipToFlip contract in step 1, the attacker directly calls the getReward function of the VaultFlipToFlip contract after adding liquidity to obtain BUNNY token rewards and retrieve the previously mortgaged liquidity.

See also  ‘Tokenized’: Inside Black Workers’ Struggles at Coinbase - The New York Times

During the getReward operation, it will call the mintForV2 function of the BunnyMinterV2 contract to mint BUNNY token rewards for the caller.

In the mintForV2 operation, it will first transfer a certain amount of (performanceFee) LPs to the WBNB-USDT pool to remove liquidity, but because the attacker left a large number of LPs in the pool in step 2, the BunnyMinterV2 contract will A large amount of WBNB tokens and USDT tokens will be received.

After the liquidity removal is completed, the zapInToken function of the zapBSC contract will be called to transfer the WBNB and USDT tokens received in step 5 into the zapBSC contract.

In the zapInToken operation, it will convert the transferred USDT into WBNB in ​​the WBNB-USDT pool of PancakeSwap. Then half of the WBNB in ​​the contract is exchanged for BUNNY tokens in the WBNB-BUNNY pool of PancakeSwap, and the obtained BUNNY tokens and the remaining WBNB tokens are added to the WBNB-BUNNY pool to obtain LP, and this LP is added Go to mintForV2 contract. However, due to the unexpected large amount of WBNB received in step 5 and the operation of converting WBNB into BUNNY tokens, the number of WBNB in ​​the WBNB-BUNNY pool will increase substantially.

After completing the zapInToken operation, the number of WBNB-BUNNY LP currently received by the BunnyMinterV2 contract will be calculated and returned to mintForV2. The valueOfAsset function of the PriceCalculatorBSCV1 contract will then be called to calculate the value of these LPs, where the calculated value will be settled in BNB (that is, how many BNB is worth a single LP).

See also  ChainLink Price Analysis - LINK/USD in price discovery » Brave New Coin - Brave New Coin

In the valueOfAsset calculation, it uses the real-time number of WBNB in ​​the WBNB-BUNNY pool multiplied by 2 and divided by the total number of WBNB-BUNNY LPs to calculate the value of a single LP (valueInBNB). But after step 7, we can find that the unexpected amount of WBNB in ​​the WBNB-BUNNY pool has increased a lot, which leads to the calculation of the value of a single LP will make its price relative to BNB become very high.

Then in mintForV2, the contract uses the LP value calculated in step 9 to calculate how many BUNNY tokens need to be minted for the attacker through the amountBunnyToMint function. However, due to the flaws in the price calculation method, the final LP price was maliciously manipulated and increased by the attacker, which led to the BunnyMinterV2 contract eventually minting a large number of BUNNY tokens (about 6.97 million) for the attacker.

After getting BUNNY tokens, the attacker sold them in batches into WBNB and USDT to return the flash loan. Take the money and leave after completing the entire attack.

The SlowMist team said that this is a typical attack using lightning loan operation prices. The key point is that the price calculation of WBNB-BUNNY LP is flawed, and the number of BUNNY minted by the BunnyMinterV2 contract depends on this flawed LP price calculation method. Eventually, the attacker used the flash loan to manipulate the WBNB-BUNNY pool, thereby increasing the price of LP, making the BunnyMinterV2 contract to mint a large amount of BUNNY tokens for the attacker. The SlowMist security team recommends that when it comes to such LP price calculations, a credible delayed price feed oracle can be used for calculation or refer to the previous Alpha Finance team.

See also  Tech for good - How blockchain is used to transform the lives of people in marginalised communities - Diginomica

Author/ Translator: Jamie Kim
Bio: Jamie Kim is a technology journalist. Raised in Hong Kong and always vocal at heart. She aims to share her expertise with the readers at Kim is a Bitcoin maximalist who believes with unwavering conviction that Bitcoin is the only cryptocurrency – in fact, currency – worth caring about.