Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Pancake Bunny is a yield farming aggregator and optimizer for Binance Smart Chan (BSC) and Ethereum. The attacker took out a flash loan before doing this attack on BNB and Tether (USDT).

First, the author minted a large amount of Liquidity Provider (LP) tokens for the pool. The price of BUNNY (the LP token) is based upon the BNB compared to the amount of USDT in the pool. Another description of this attack with more detail is found here.

Then, they swapped a large number BNB into the pool for USDT. By swapping such a large number of tokens into the pool, the exchange rate was drastically modified. The pricing of tokens depends on the balance on the swapping. By taking a ton of them out, the pool becomes unbalanced. This makes the BNB token very expensive and USDT very cheap.

Here is the main issue: the BUNNY tokens that are minted is strictly based upon the amount of BNB compared to the amount of USDT in the pool. So, by exchanging their LP tokens, they claim more BUNNY tokens then they should be entitled to.

Finally, they repay all of the locations of the flash loan by swapping the BUNNY for something else on other exchanges. Wow, flash loans are crazy complicated... The simple remediation is to require multi-transaction operations. Additionally, using a pricing oracle, such as Chainlink, could have solve this problem as well.

The same company was hit by ANOTHER flash loan attack on their Polygon version of this. In this case, the flash loan allowed them to get a crazy performance fee to mint too much BUNNY (again).