On May 20, the CertiK security technology team discovered that PancakeBunny (BUNNY), a CoinSec smartchain DeFi revenue aggregator, was attacked by a lightning loan and suffered a token flash crash.
A total of 114,631 BNBs and 697,245 BUNNYs were lost in the incident, representing approximately $42 million in contracts at the prevailing price.
The CertiK security team investigated and concluded that since the protocol uses PancakeSwap AMM for asset price calculation, the hackers maliciously exploited Lightning Lending to manipulate the price of the AMM pool and successfully completed the attack by taking advantage of a calculation problem in Bunny’s minting of tokens.
How did the attack happen?
For this attack, the attackers made a total of 8 lightning loans. Seven of the lightning loans came from the BNB of the PancakeSwap liquidity pool, and the other from the USDT of ForTube Bank.
Technical Details Analysis
In the article, CertiK security experts added address labels (shown below) to make the flow of tokens clearer.
Address of the attacker: https://bscscan.com/address/0xa0acc61547f6bd066f7c9663c17a312b6ad7e187
Address of the contract used by the attacker: https://bscscan.com/address/0xcc598232a75fb1b361510bce4ca39d7bc39cf498
In the first transaction, the attacker accomplishes two things.
① Convert the BNB to “USDT-BNB FLIP”.
② Deposit the “USDT-BNB FLIP ” into BUNNY’s pool.
The attacker deposits the FLIP into the pool so that when it calls the Withdraw() or getReward() functions in the VaultFlipToFlip contract at a later time, the pool will mint BUNNY tokens.
What “Zap” does is swap half of the offered tokens for the other token of the pair and offer both tokens to the corresponding PancakeSwap pool. This can also be done through BUNNY’s Dapp frontend.
② Deposit the USDT-BNB FLIP into the pool.
After completing the first transaction to deposit “USDT-BNB FLIP ” into the BUNNY pool, the attacker performed the second transaction, which is the one most people are most concerned about.
The transfer of all tokens that occurred in the second transaction is next broken down into multiple parts.
① The attacker borrowed a total of 2.23 million BNB from 7 different PancakeSwap liquidity pools using lightning loans and 2.96 million USDT from ForTube using lightning loans.
The attacker then provided 7,700 BNBs and 2.96 million USDT of liquidity to the “USDT-BNB” pool, obtaining 144,000 LP tokens.
② The attacker exchanged 2.23 million BNBs obtained from lightning loans for 3.83 million USDT in the PancakeSwap V1 pool.
Since the BNB and USDT reserves in V1 pool are much smaller than those in V2 pool, the price of V1 pool is easier to be manipulated, and the BNB price drops sharply after exchanging BNB for USDT.
③Mentioned above that the attacker stored “USDT-BNB FLIP ” in ” Transaction One ” to the BUNNY pool, and now the attacker can call the “getReward() ” function to mint BUNNY.
The call to the “getReward() ” function in the “VaultFlipToFlip ” contract generates a large number of token transfer records, as shown in the screenshot.
The details of what happens in this function in the figure above are as follows.
❷BUNNYMinterV2 removes liquidity from the USDT-BNB v2 pool – 2.96 million USDT and 7,744 BNBs are removed from the pool.
❸ Swapping USDT for BNB. v1 PancakeSwap Router is used in the ZapBSC contract instead of v2.
Since the price of the V1 pool has been manipulated (see step ②), the attacker is able to swap 2.96 million USDT into 2.31 million BNB.
Then, half of the BNBs (1.156 million) are exchanged for BUNNY, and the other half of the BNBs (1.156 million) and the exchanged BUNNY are added to the BNB-BUNNY pool.
Now, a large number of BNBs are added to the BNB-BUNNY pool, which increases the number of BNBs(reserve0).
This will be used to manipulate the “valueInBNB ” variable when later calculating the number of BUNNYs to be minted.
ZapBSC contract address https://bscscan.com/address/0xf4c17e321a8c566d21cf8a9f090ef38f727913d5#code
❹ Swap half of the 7700BNB obtained by removing liquidity in marker ❷ to BUNNY and pair the other half of the BNB with BUNNY to provide liquidity in the “BNB-BUNNY” pool.
Note that marks ❷, ❸ and ❹ occur in the “_zapAssetsToBUNNYBNB ” function call in the “mintForV2 ” function of the “BunnyMinterV2 ” contract.
BunnyMinterV2 contract address: https://bscscan.com/address/0x819eea71d3f93bb604816f1797d4828c90219b5d#code
❺ All LP tokens generated from tokens ❸ and ❹ are sent to PancakeSwap’s BUNNY pool as a result of this line of code executed in the “mintForV2 ” function in the BunnyMinterV2 contract.
As shown in marker ❺, the contract continues to execute, minting 7 million BUNNY (based on previous BUNNY prices up to a value of about $1 billion).
So, what caused the contract to mint so much BUNNY ???? What is it?
In the bunnyMinterV2 contract, the amount of BUNNY to be minted is related to the “valueInBNB” variable, which is calculated using the priceCalculator.valueOfAsset(BUNNY_BNB, bunnyBNBAmount) function.
In the function valueOfAsset, the valueInBNB is calculated as follows: valueInBNB = amount.mul(reserve0).mul(2).p(IPancakePair(asset).totalSupply())
Because there are a large number of BNBs in the BNB-BUNNY pool (as explained in marker ❸ and ❹ above), the variable “reserve0” is a very large value that makes “valueInBNB ” large, so it ends up increasing the number of BUNNYs cast.
④ After receiving 7 million BUNNY, the attacker swaps BUNNY for BNB in the PancakeSwap BNB-BUNNY V1 pool and V2 pool.
⑤ Finally, the attackers repay the lightning loans to the seven liquidity pools of ForTube and PancakeSwap and transfer 697,000 BUNNY and 114,000 BNB to the attackers’ addresses.
One of the reasons why this attack works is that the “ZapBSC ” contract (https://bscscan.com/address/0xf4c17e321a8c566d21cf8a9f090ef38f727913d5#code) uses the PancakeSwap V1 liquidity pool to exchange tokens via the V1 PancakeSwap Router for token exchange.
Many DeFi projects cannot transition from PancakeSwap V1 to V2 because they write the PancakeSwap Router and the pool dead in the contract to the address of V1.
Since the V1 liquidity pool has been abandoned, they have a low reserve of tokens in the pool, which makes it easier for attackers to manipulate the price of tokens in it.
Write at the end
The current crypto world is such that lightning loan attacks and malicious price manipulation will certainly not be the last.
CertiK recommends that the DeFi project migrate its PancakeSwap integration from V1 to V2.
It can also use Time Weighted Average Price (TWAP) to avoid losses from abnormal price fluctuations as a way to prevent hackers from using flash lending to attack price prediction machines.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/pancakebunny-flash-crash-the-most-complete-technical-details-dissected-defi-app-rings-alarm-bells-again/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.