As you know, the BSC has recently been the victim of several hacker attacks targeting several big platforms like Spartan Protocol, Uranium and now PancakeBunny.
It is clear that this increase in problems coupled with the recent market downturn has made the last few weeks a bit turbulent. It’s still too early to say what the future of the course will be, but you can be assured that we will continue to work on the features promised in our roadmap!
Let’s move on to the point that interests us the most today: what happened to PancakeBunny?
First of all I would like to dispel some of your doubts if this was the case: no PancakeBunny did not RUG, but they were indeed victim of a cyber-attack.
On Wednesday, May 19th, around 23:00 UTC a hack managed to manipulate the different LPs of the platform.
The operation took place in several parts:
1) The exploiter added a small number of assets to the Bunny USDT-WBNB Vault.
2) He borrowed 2.3M BNB ($704M) from seven PancakeSwap pools and 2.9M USDT from ForTube Bank using flash loans.
3) The hacker added 7.7k BNB and 2.9M USDT liquidity to the USDT-WBNB pool on PancakeSwap while leaving LP tokens in this pool.
4) Then he swapped 2.3M BNB to USDT through this pool.
5) Once everything was set, he minted 7M BUNNY ($1B+) using assets from the first step, but because of the extra LP tokens in the PancakeSwap pool, Bunny Finance believed that the exploiter added a large amount of BNB.
6) Right after, the exploiter sold 4.8M minted BUNNY for 2.3M WBNB and 2.9M USDT, then started to repay flash loans.
7) Finally, he has withdrawn a bunch of ETH to Ethereum through the Nerve bridge.
The whole operation cost the author the ridiculous sum of $9 in transaction fees (even though the raid itself involved the mobilization of substantial funds).
The hacker made sure to leave a message attesting to his act and indicating the procedure used.
How did PancakeBunny react?
The team reacted quickly by informing its users of the problem and blocking withdrawals on its platform until the causes of the attack and a solution are found to avoid a similar scenario again. Despite these quick actions, several tens of thousands of investors were victims of the attack.
The Bunny went from $200 to $1 in a matter of minutes, causing panic on the platform’s discord and telegram.
In order to compensate the victims, PancakeBunny has proposed a compensation plan to its users based on a new token named pBUNNY (Platinium BUNNY), which will allow its holders to receive compensation funds by staking it on the appropriate pool. In addition to this, there have been various changes and evolutions to the site to apologize to its users and to bring them back.
In addition, the team with the pink rabbit shared its future plans with us, revealing its new features to come. You can find their full article here: https://pancakebunny.medium.com/go-forward-plan-e29e58bc375f
What are the risks for HyruleSwap?
Even if the 0 risk does not exist, this kind of attack is not reproducible on our website for a very precise reason. Indeed, the minting of the BUNNY was done in a rather particular way because instead of having a fixed rate of X BUNNY per block, they decided to adopt a dynamic approach with the creation of 3 BUNNY each time the sum of 1 BNB was reached in performance fees. Although innovative, this method was the entry point for the hacker who managed to abuse the system in order to mine an impressive number of tokens before dumping them.
Hyrule does not have a dynamic system like PancakeBunny and therefore it is impossible to reproduce the same experience on our platform.
However, this does not exclude a potential attack in the future, which is why we are very careful about the security of HyruleSwap and have requested an audit from Certik. Moreover, we are quite “small” compared to the victims of recent hacks, so it is quite unlikely that someone would attack us when they could very well do it somewhere more profitable.
We hope this article has been informative and useful to you. As always, we’d love to hear your thoughts on the situation! If we hear anything about the case, we’ll be sure to share it with you on our social networks.