Posted on Leave a comment

Pancake Bunny Exploit: $44 Million Stolen as BUNNY Token Crashed 99% in Seconds

Pancake Bunny, Binance Smart Chain’s largest yield aggregator service, has suffered a flash loan attack in which over $44M was stolen by an outside exploiter. Pancake Bunny’s underlying native token, BUNNY, crashed from $150 to $1 within seconds.

A Massive Platform Brought to its Knees

Pancake Bunny has ground to a halt: all deposits and withdrawals were paused as the developers were completing a post mortem.

The exploiter took a loan for a large amount of BNB from PancakeSwap and manipulated the LP ratio of USDT/BNB as well as BUNNY/BNB, according to Bunny developers. All of the generated BUNNY tokens were then dumped on the open market, crashing BUNNY by over 99%. The PancakeSwap loan was then returned using the resultant BNB from the sale.

The exploiter has moved most of the BNB from the sale off-chain onto ETH to prevent the minute possibility of a chain rollback, which is far less likely on ETH compared to BSC given the scale of the hack and the comparative chain sizes.

At the time of this writing, the price rests around $70.

Now What?

In a “go forward plan” post delivered by the team a few hours back, it’s made clear that “no vaults were compromised as the exploit crashed the price of BUNNY. $1 billion in TVL was not stolen.”

The team has also taken actions to compensate holders for the difference between the market cap at the time of the exploit and the current retained value by issuing a new token called pBUNNY and by delivering a “Compensation Pool.”

In the next 90 days, PancakyBunny will increase its BUNNY emissions, disbursing 100% of the performance fees that are accumulated up to the time of the exploit. At the end of this period, original holders will be able to swap pBUNNY for BUNNY at a discount to the market price.

The exploits on the Binance Smart Chain seem to happen a lot more often recently. Towards the beginning of May, CryptoPotato reported about another such case with Spartan Protocol where the attackers made away with $30 million.

Leave a Reply