~$45m Flash loan attack on PancakeBunny

~$45m Flash loan attack on PancakeBunny

By EatTheBugs | EatTheBugs | 20 May 2021


You'd think that DEX's like PancakeSwap would recognize that to stop a flash loan you need to have solid, accurate Oracles to get accurate prices for liquidity providers (BNB-BUSDT / BNB-BUNNY in this case) many of them have happened in our space since it began. 

Alas, another successful flash loan exploit was expertly executed and the holders of BUNNY are having an epic meltdown on the socials. The price plummted by over 99% down from $146 to $6.17 in less than an hour before the AMM stepped up and stopped withdrawals and trading. The Supreme Chad behind the exploit left a taunting message in the tx...

Savage Troll, ser

Yes, indeed the Earitation was so bad it caused a bunny-driven bloodbath not seen since those noble Knights entered that dreaded beast's cave in Monty Python's quest for the Holy Grail.

93e2d3fbf262b8eeea6a051c67c9af424715a52063d4e0a697f3caea88936ce3.jpg

12376eb0296921772af9178eef93e7d51aad6c1417479b66a9e781b32063de18.jpg

 

So, what happened?

Yesterday, at around 10:34PM UTC, a tesseract-brained individual strolled into the Bunny cage with some poisoned pancake. 

The BUNNY team is now referring to this individual as, "the hacker", to try and obfuscate the fact that they didn't have proper price data going back and forth betwen PancakeSwap and PancakeBunny. e42a2a58a1e8873f2c65c2c77019cdc103e4f82184adcfbe1d1343c24479182d.png

c923c2a39145efe83366bb68856845d10c3bc497a261e688cbd3900da0ed11d1.png

And here is the address of the exploiter showcasing their brilliant strategy to take BUNNY down from $10bn in TVL yesterday to just under $1bn. All it took was 8 flash loans. 

From Rekt Blog's post-mortem this morning:

b97101d617569c7d3fb40a6fa9b1d1e72e246713479bde06d0e687bc644d135b.png

feb375867291747b170b428974ad2ef68d01c8b61478c5db2c071ab2287ed7c4.png

All things being equal in this JRPG we call crypto, bad actors are going to do what they're going to do. DEX's should know this and they DEFINITELY should have known they were vulnerable for such a flash loan attack...it's only happened literally dozens of times now.

I captured a screenshot that is pretty alarming from the admins in PancakeBunny's official telegram that shows just how deep this, pardon the pun, rabbit hole goes....

19f862a5ef31de06f94be7c0bbedeba1ac3910a0a9de3eaa818383b7cd731d11.png

It appears that the PancakeBunny team was either in denial, clueless or they knew they were vulnerable but they couldn't contribute to the exploit by expounding their own FUD on themselves.

I'm not saying that it's funny to laugh at this all and just shake your head, but it was pretty funny in Telegram yesterday...if you want some serious dose of hilarious schizo melodrama, head over to Bunny's Official Telegram right now. They've since disabled chat and put out a lengthy, but rather vague, Medium post about next steps they're taking to suss out how to get people reimbursed. 

The party is just getting started. Pull up a chair and grab some snacks. As of this morning, this tale of carnage now merits the top-3 spot on Rekt's leaderboard of shame. 

 

063f3919af1d7f531cb4ab84a0a42c6eb34a076ecdefb2907472afba60ea7108.gif 

I hope you enjoyed this shitty content and that you didn't get rugged too hard yesterday if you were a BUNNY :)

How do you rate this article?

5


EatTheBugs
EatTheBugs

Let's take a second to pull our heads out of asses, sound good?


EatTheBugs
EatTheBugs

Worlds within worlds

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.