Crypto
Aren’t Flashloans Earitating? PancakeBunny DEX Exploited!
A story of how an exploiter took advantage of flashloans to bring a BSC project to its knees, and make a lot of money in the process. And no, the title is not a typo.
Today, PancakeBunny Finance, a decentralized exchange (DEX), reported that they were attacked with an economic exploit that as a result crashed the price of their native token BUNNY. In short, the attacker took advantage of flash loans to manipulate the market and push the prices in his favor, gained a large amount of BUNNY tokens, then dumped them on the market causing the price to plummet.
To add insult to injury, the attacker did not forget to spit in peoples faces by leaving a bunny themed pun as a note on the transaction: “Aren’t Flashloans Earitating” (or “ArentFlashloansEaritating”, to be exact)
CoinGecko data shows the price took a sudden plunge from USD 150,9 to USD 11,8 as it happened, and is currently trading at USD 32,6, though for a brief window of about 20 minutes, the price apparently dropped down even further to USD 0,95 which was quickly bought up by opportunists taking advantage of the situation.
They took eight flash loans, seven from PancakeSwap pools and one from ForTube Bank, a DeFi lending protocol. The attacker borrowed 2.3 million BNB (worth $704 million) and 2.9 million USDT ($2.9 million), for a total of nearly $707 million.
The exploiter borrowed 2,3 million BNB (Binance coin; $704 million) from decentralized exchange PancakeSwap and 2.9 million USDT (Tether; $2,9 million) from ForTube Bank, a DeFi lending protocol, for a total worth of nearly $707 million. They then used the borrowed coin to manipulate the market and BUNNY minting mechanism into rewarding them a larger than normal amount of BUNNY tokens, which they immediately dumped onto the market, tanking the price, while they used the gains to pay back the loans in order to satisfy the smart contracts loan conditions. The price manipulation made it possible to make back more BNB and USDT than was required to pay back the loan. The difference between the two was exploiters profit, while the side effect was the exchanges native token BUNNY being left in ruin in addition to some USD 50 million in BNB “stolen”.
The exact process, according to a blockchain security company peckshield.com, was as follows:
- Step 1: Take 8 different flashloans, for a combined amount of 2,3 million BNB, and 2.96M USDT. The first seven flashloans (BNB) are taken from various PancakeSwap pools while the last one comes from Fortube Bank.
- Step 2: Deposit 2.96M USDT and 7886 WBNB into WBNB+BUSDT pool on PancakeBunny as liquidity and mint in return 144.45K LP tokens.
- Step 3: Swap 2.32M WBNB for 3.83M BUSDT via the above WBNB+BUSDT pool so that the pool has a sufficiently large WBNB reserve, which is used to influence the valuation of the pool tokens.
- Step 4: Call getReward() to claim rewards from
VaultFlipToFlip. With the higher LP token valuation, the attacker is able to claim reward of 6.97M BUNNY (valued about $1+ billion). Note the dev team gets separate 1.05M BUNNY. - Step 5: Return the flashloans from Step 1 back to PancakeSwap pools and Fortube Bank.
Since PancakeSwap did not offer loans as far as users were aware, it has raised a lot of questions as to how this was possible. Turns out that while they do not officially offer such loans, they are still part of the smart contract that the PancakeSwap DEX (a UniSwap fork) is running on. In other words, while the website itself is not offering them, a savvy user can still take advantage of the code by interacting with the contract directly (and not through the web interface as most less savvy users do).
PancakeBunny.Finance claims that none of the vaults have been breached, and that there are reports with “an inaccurate amount of losses.”
Despite the rumors that the attacker made off with $1 billion worth of tokens, it seems that the loan amount used to carry out the exploit (and paid back as part of the exploits mechanic) was confused for the actual loot of the attack. Sources calculate the “real” losses to be around “just” $50 million, though losses are not so easily defined, seeing as such an exploit can negatively affect all the currencies involved due to price manipulation and potential dumping of the loot on the market. The lost value of the BUNNY tokens alone, which have at one point lost most of their value and are currently sitting at a -69,36% loss (24hr), has left a big hole in the pockets of investors and should not go unaccounted for when speaking of losses as a result of this attack.
They also said that they are working on a reimbursement plan: “Transactions cannot be reverted, but the BUNNY team is working on a plan to reimburse lost value”. How they plan to achieve that is yet to be seen, seeing as the transactions indeed cannot be reverted. It also remains to be seen if the planned reimbursement includes the damage done to the BUNNY token holders.
Below is an interesting account of events as researched and posted by Igor Igamberdiev
UPDATE:
Official post mortem update by PancakeBunny Finance:
Links:
Exploit transaction
Majority of the loot has then been sent to this address
Which has later further forwarded it to this address
Screenshots:
When Elon Musk tweeted “Canada, USA, Mexico”, spelling out an acronym “CUM”, many assumed he was referring to the “United States–Mexico–Canada Agreement” (former NAFTA), but with an Elon Musk twist. Because you know… it would make for a totally better acronym than what they came up with (USMCA).
Or maybe it was just me?
Low and behold, barely a day later Musk decides to bless us with yet another tweet, this time dispelling any doubts one might’ve had regarding the meaning of his previous tweet.
CumRocket To the Moon
Within literal minutes of his “Cum Rocket to the moon” tweet on June 5, CumRocket (CUMMIES) skyrocketed from $0.067 to $0.284 (+330% instant gain) before crushing back down to $0.114 some half hour later, and is currently trading at $0.1746 (+168.95% 24hr gain).
As reported by El Economista, the Spanish parliament has voted in favor of a controversial new law that will require Spanish citizens to report their overseas crypto holdings, as the government appears ready to impose more control and regulation over the growing crypto sector.
According to an official government release, the new law will require Spaniards “to report their holdings and operations with cryptocurrencies,” on crypto held both domestically and abroad if the transactions “affect Spanish taxpayers.”
According to the release, information will be required on the balances and holders of the coins, as well as on all types of operations that have been carried out with them.
“Due to their proliferation and popularity among investors and savers, it is necessary to take greater control over cryptocurrencies”
The new regulations will make it “mandatory to inform” the tax body on annual declarations of assets and property.
The bill, named the ‘Law on Prevention and Fight Against Tax Fraud’ (Ley de Medidas de Prevención y Lucha contra el Fraude Fiscal), also contains other provisions intended to fight tax avoidance, and will give tax bodies the power to conduct spot checks on “homes and businesses”.
The bill has been in the works since last year, when the Council of Ministers gave it the green light, and still needs to be ratified, now that the senate voted in favor in a majority vote.
Once ratified, it will see “overseas” crypto holdings integrated into the often criticized Modelo 720 system, which requires Spaniards to complete exhaustive declarations of their overseas real estate holdings.
While Cardano (ADA) supporters like to refer to it as an Ethereum killer, Charles Hoskinson, founder of Cardano, said that Ethereum is actually “killing itself” by replacing the current proof of work (PoW) version with Ethereum 2.0, a new proof of stake (PoS) iteration.
When asked if Ethereum 2.0 could also be seen as a Cardano killer, now that it’s switching to PoS as well, Hoskinson said that he does not see it like that since Cardano is the market leader in PoS, implying hat their longer experience with PoS gives it an upper hand over Ethereum in PoS space:
“We are leading that fight. We were first to the market… Engine doesn’t make a BMW a BMW. It’s a part of it, but you need a whole ecosystem, a whole collection of things.”
CHARLES HOSKINSON, MAY 26, 2021
Subjective: Assigning such prominence to the fact that Cardano was the first to market with PoS over Ethereum sounds like a weak argument seeing as Ethereum, along with Bitcon is becoming a household name, whereas Cardano… well, is not yet. So this whole argument of “first to market” that is based solely on the validation protocol being used falls somewhat short and makes us seriously wonder why Mr. Hoskinson would spit in his own cup by implying that being first to market carries such weight, seeing as ETH is actually the grandfather of smart blockchain and the true pioneer of the said space.
Fun fact: The first cryptocurrency to adopt the PoS method was Peercoin. Next, Blackcoin, and ShadowCoin soon followed suit.
Governance, interoperability, and user bases
The creator of Cardano also touched the topic of governance, saying that Ethereum 2.0 has bowed out, which he said would make it hard for the ecosystem to evolve once its founders retire or lose prominence, whereas enabling on-chain governance is a vital part of Cardano’s roadmap.
He also compared Bitcoin (BTC), the largest cryptocurrency by market capitalization, and the grand father of all cryptocurrency, to a “wood-powered steam engine” due to its slow evolvement.
“You have those Bitcoin core developers who desperately want to evolve the system: even though core developers want to implement multiple improvements like smart contracts and side-chains, they can’t get anything done.”
CHARLES HOSKINSON, MAY 26, 2021
Hoskinson also pointed out that Ethereum is not as interoperable for now as some other similar blockchain projects such as Cardano, Cosmos and Polkadot (among others) that made sidechains available on their network.
And finally, he claims that Eth 2.0 and Cardano on top of different technologies and philosophies also have different user bases:
“We are bringing millions of people in Africa that simply Ethereum doesn’t seem to care about… outside of South Africa and a few well developed places in Africa.”
-
Blog3 years agoKeeping Your Ledger Hardware Wallet Safe
-
Blog3 years agoWhat is Elon Musk Going to do on SNL?
-
Blog3 years agoIs My Crypto Wallet Compromised?
-
Blog3 years agoThe Latest Shitcoin Marketing Ploy Backfires as Vitalik Buterin “Pulls the Rug” on Doge Copies
-
Blog3 years agoImportance of Your 24 Word Recovery Seed Phrase and How to Keep it Safe
-
Blog3 years agoDogecoin Did Not Plunge Because of Elon Musk SNL Appearance
-
Blog3 years agoHow Does Bitcoin FUD Benefit Tesla and Elon Musk?
-
Crypto3 years agoVitalik Buterin Says Elon Musk’s Plan for Scaling Crypto is ‘Fundamentally Flawed’
You must be logged in to post a comment Login