BSC Flash Loan Attack Again BUNNY Flash Crash

On May 20, Beijing time, PancakeBunny, a DeFi earnings aggregator on the BSC chain, was hit by a lightning lending attack.

BSC Flash Loan Attack Again BUNNY Flash Crash

On May 20th, Beijing time, PancakeBunny, a DeFi earnings aggregator on the BSC chain, was hit by a lightning lending attack.

PeckShield traced and analyzed the attack and found that the attack originated from the attackers using PancakeSwap to manipulate the price of LP Token (BNB-BUSDT/BNB-BUNNY), resulting in a loss of over $45 million.

As a result of the attack, Bunny’s price dropped sharply, from $132 to $53 in a short period of time.

BSC Flash Loan Attack Again BUNNY Flash Crash

At the same time, PancakeBunny liquidity TVLs have declined significantly, with WBNB-BUSD’s locked position dropping from 5.43 million to 2.43 million, according to PeckShield’s monitoring.

PancakeBunny is a revenue aggregator associated with PancakeSwap, the decentralized exchange with the largest TVL on the BSC chain. LP tokens earned by users from market making at PancakeSwap can be placed in PancakeBunny to generate compounded revenue.

The following is the process of the attack.

BSC Flash Loan Attack Again BUNNY Flash Crash

In the first step, the attacker lends 8 lightning loans from PancakeSwap and Fortube Bank respectively. In PancakeSwap, the attackers lent 1.05 million WBNB from the WBNB+CAKE pool, 522,500 WBNB from the WBNB+BUSD pool, 210,000 WBNB from the WBNB+ETH pool, 241,000 WBNB from the WBNB+BTCB pool, 134,000 WBNB from the WBNB+SAFEMOON pool, and 241,000 WBNB from the WBNB+SAFEMOON pool. 134k WBNB, WBNB+SAFEMOON pool lending 241k WBNB, WBNB+BELT pool lending 99k WBNB, WBNB+DOT pool lending 66k WBNB, attackers in Fortube Bank lending 2.96m USDT.

Step 2: Deposit 2.96 million USDT and 7,886 WBNB into the WBNB+BUSDT pool to increase liquidity and obtain the corresponding 144,000 LP Token.

Step 3, convert 2.23 million WBNB into 3.83 million BUSDT through the above WBNB+BUSDT pool, so that there are enough WBNB in the WBNB+BUSDT pool to raise the value of pool tokens.

Step 4, call the function getReward() in VaultFlipToFlip, and as the value of the LP token increases, the attacker is rewarded with 6.97 million BUNNY (worth about $1 billion), and notably, the development team is rewarded with an additional 1.05 million BUNNY.

The fifth step is the return of the lightning loans lent from PancakeSwap and Fortube Bank.

There seems to have been a period of frequent lightning loan attacks since late 2020, causing the community to see the word lightning loan and associate it with negativity for a time.

In reality, flash lending is not a malicious tool per se, but rather an innovation. A flash loan is an unsecured, unsecured loan that must be repaid before the blockchain transaction ends; if it is not repaid, the smart contract reverses the transaction, and then the loan acts as if it never happened, using the properties of the blockchain to do things that cannot be done in traditional finance.

Since the smart contract for the loan must be completed in the same transaction it was lent, the borrower must use other smart contracts that help him transact with the loan funds instantly before the transaction ends.

The attacker provides a large amount of funds in a very short period of time. These funds can be used as the cost of an attack to exploit code vulnerabilities or to manipulate pricing and profit from the arbitrage process.

In recent months, PeckShield has monitored the frequency of attacks as the CoinA smartchain ecosystem has become more enriched.

Outside of the BSC ecosystem, Polygon, Solana and other ecosystems are also sucking up money. From DEX, lending, machine gun pools, leveraged mining and stablecoin exchange, BSC has covered almost the entire DeFi space of innovative products, and if ecosystem members do not pay attention to and maintain the security of the ecosystem, they will naturally move on to the next battlefield when users’ trust is depleted.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-05-20 12:39
Next 2021-05-20 12:48

Related articles