This week, the coin price of the DeFi protocol, which was attacked by lightning loans, was like the weather in May – it collapsed when it said it would. With the frequent lightning attacks now underway again, the token prices of several protocols in a week have nearly gone to zero, involving losses in the tens of millions of dollars, have DeFi protocol developers really upped the ante on code security after the frequent attacks?
On May 24, Beijing time, PeckShield alerted that the DeFi protocol AutoShark Finance of the Fork revenue aggregator PancakeBunny was attacked by lightning loans.
PeckShield first tracked and analyzed the attack and found that it was similar to that of PancakeBunny, which was attacked by Lightning Lending five days ago.
According to AutoShark Finance, it is based on PantherSwap, the top 3 decentralized exchange on the BSC chain in terms of trading volume, and not PancakeSwap, which made it immune to the PancakeBunny attack.
Users can make a market on PantherSwap and acquire LP tokens that can be placed in AutoShark Finance to generate compounded returns. Unfortunately, it did not escape the homologation vulnerability attack brought by the Fork PancakeBunny code.
PeckShield briefly describes the attack.
The attacker lends 100,000 BNB of lightning loans from PancakeSwap and converts 50,000 BNB into SHARK token, deposits the remaining 50,000 BNB and the converted SHARK token into PantherSwap to increase the liquidity and obtains the corresponding LP Token. Calling the getReward() function, liquidity is injected in large quantities, raising the value of LP token, and the attacker is rewarded with 100 million SHARK. The attacker withdraws the liquidity and returns the lent lightning loan to complete the attack. The attacker then converts them into ETH in batches via the Nerve (Angswap) cross-chain bridge, and CoinHolmes, PeckShield’s anti-money laundering situational awareness system, continuously monitors the dynamics of the transferred assets.
After PancakeBunny was attacked by Lightning Lending, AutoShark Finance had posted an article analyzing the principle of PancakeBunny’s attack and emphasized their emphasis on security: “We have done 4 code audits in total, 2 of which are ongoing. “
After the attack on similar DeFi protocols, did the protocol developers really check whether their contracts had similar vulnerabilities in time? Have they increased their focus on protocol security? Judging from the attack on AutoShark Finance, it seems that it is not enough.
PeckShield’s head of security said, “Starting with known vulnerabilities is a common way for attackers to feed in the still-developing DeFi space. After other protocols were attacked, did you check the code yourself to see if similar vulnerabilities existed? Is there any security risk in the protocol of interaction?”
In addition, PeckShield suggests that investors should pay more attention to similar protocols after a certain DeFi protocol is attacked to avoid homologation risk, and when the coin price plunges after an attack, investors are advised not to easily grab the bounce.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/shark-flash-drop-99-forked-bunnys-code-and-forked-its-attack/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.