Has the demon run out of the bottle? We dissected the principles of PancakeBunny and AutoShark’s lightning loan attack and the attackers’ on-chain transfer logs to uncover some clues to the Merlin Labs homologation attack.
On May 20, 2021, a group of unknown attackers boosted the value of LP token by calling the function getReward() to obtain an additional $45 million worth of BUNNY rewards. on May 25, PeckShield “PieShield” alert found that Fork PancakeBunny’s earnings aggregator AutoShark Finance was attacked by PancakeBunny’s homegrown lightning loans.
On May 26, 2021, just 24 hours after the attack on AutoShark Finance, PeckShield security personnel discovered a homologous attack on Fork PancakeBunny’s Merlin Labs by dissecting the PancakeBunny and AutoShark attack rationale and the attackers’ in-chain transfer logs.
All three of these attacks share two similar characteristics; the attackers targeted Fork PancakeBunny’s revenue aggregators; and after the attackers completed their attacks, they converted them to ETH in batches via the Nerve (Anyswap) cross-chain bridge.
Interestingly, after the PancakeBunny attack, Merlin Labs also posted that Merlin took additional precautions for potential possibilities by examining the vulnerabilities of the Bunny attack and constantly iterating through the details to perform code reviews. In addition, the Merlin development team has proposed solutions to such attacks that could prevent similar incidents from occurring with Merlin. At the same time, Merlin emphasizes that the security of their users is their number one priority.
PeckShield Pai Shield briefly describes the attack process.
This time, the attacker does not borrow lightning loans as principal, but deposits a small amount of BNB into PancakeSwap for liquidity mining and obtains the corresponding LP Token, Merlin’s smart contract is responsible for staking the attacker’s assets into PancakeSwap, obtaining CAKE rewards, and directing the CAKE rewards to the The attacker calls the getReward() function, a step that is homologous to the BUNNY vulnerability, and CAKE is injected in large quantities so that the attacker gets a large amount of MERLIN rewards, and the attacker repeats the operation, eventually getting a total of 49,000 MERLIN rewards, and the attacker completes the attack after drawing off liquidity.
The attacker then converts them into ETH in batches via the Nerve (Anyswap) cross-chain bridge, and CoinHolmes, PeckShield’s anti-money laundering situational awareness system, continuously monitors the dynamics of the transferred assets.
PeckShield recommends that you double-check your own contracts for similar vulnerabilities in Fork PancakeBunny’s DeFi protocol, or seek professional auditing to prevent and monitor similar attacks to avoid becoming the next “unfortunate”.
In this wave of BSC DeFi, if DeFi protocol developers do not pay more attention to security, they will not only put the ecological security of BSC at risk, but also fall into the wool of attackers’ eyes.
Fork’s DeFi protocol may have lost a lot of money due to homologous vulnerabilities before it became a Bunny challenger. Fork’s DeFi protocol may be a Bunny challenger before it even becomes a homologation vulnerability, and is derided as a “stubborn leek field”.
There are two types of “games” in the world, “finite games” and “infinite games”. The finite game is designed to win; the infinite game is designed to keep the game going forever.
There is no doubt that the attackers’ infinite game will continue regardless of whether or not Fork Bunny’s DeFi protocol will next seriously check its code.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/another-facepalm-scene-fork-bunnys-merlin-loses-240-eth/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.