Knownsec Blockchain Lab|Binance SmartChain PancakeBunny (BUNNY) Attack Event Analysis
Preface
At 10:34:28 on May 20th, World Time, Binance Smart Chain (BSC) DeFi revenue aggregator PancakeBunny (BUNNY) was attacked by lightning loans from external developers. Hackers used lightning loans to arbitrage 114,631 BNB, about 4000W USD , The amount involved is huge. Knownsec Blockchain Lab aims to get a glimpse of the secrets of lightning loan arbitrage through a comprehensive review of the attack process and code details.
basic information
Attacker address: 0xa0acc61547f6bd066f7c9663c17a312b6ad7e187
Attack contract address: 0xcc598232a75fb1b361510bce4ca39d7bc39cf498
Attack transaction hash:
0x897c2de73dd55d7701e1b69ffb3a17b0f4801ced88b0c75fe1551c5fcce6a979
Hackers used flash loans to borrow a large amount of BNB, manipulated USDT/BNB and BUNNY/BNB prices through PancakeSwap, obtained a large amount of BUNNY and then sold it, causing the BUNNY price to crash and profit from it. The laboratory analyzed the attack and found the transaction link and attack contract address on the chain.
Attack contract address:
0xcc598232a75fb1b361510bce4ca39d7bc39cf498
Attack transaction link and screenshot:
https://bscscan.com/tx/0x897c2de73dd55d7701e1b69ffb3a17b0f4801ced88b0c75fe1551c5fcce6a979
Detailed attack steps
1. The attacker first calls the transaction shown in Figure 2 and makes a mortgage, at which time a mortgage reward will be generated;
2. Then the attacker borrowed a large amount of BNB and USDT from the lightning loan platform through the transaction in Figure 1, and added liquidity through the PancakeSwap trading pair to obtain lp tokens (144\,445), and left lp tokens in the transaction In the contract;
3. Because the attacker has mortgaged, and then obtains the BUNNY token reward and retrieves the liquidity of the previous mortgage by calling the getReward function of the VaultFlipToFlip contract in Figure 3, but in the reward calculation, there is a problem with the logic of obtaining the minting amount. A large number of BUNNY tokens (6972455), which were exchanged into BNB through PancakeSwap, caused the price of BUNNY to plummet;
4. After obtaining the BNB in 3 steps, return it to the flash loan address, and profit from 114,631 BNB, worth about 4000W USD.
To sum up
In this attack, the attacker completed a series of operations such as borrowing, redeeming, obtaining rewards, and returning flash loans in a transaction. The main reason was that there was a logical problem in the project’s obtaining the lp price when calculating mortgage rewards, which led to hackers using This vulnerability was attacked.
At present, we noticed on the twitter of the project party that the project party has suspended the deposit and withdrawal functions of some projects and is discussing security repair plans and compensation plans. If there is new progress, the laboratory will follow up and analyze it as soon as possible, please continue to pay attention!
About Us: Knownsec Blockchain Lab has a team of top international blockchain security experts and 9 years of experience in security services for leading blockchain companies. It has served as the world’s leading digital currency exchange, wallet, underlying public chain, Smart contracts and other projects conduct security audits and defense deployments, and maintain the leading domestic core competitiveness in blockchain technology security, risk control security, and anti-hacking security.
Official Website | Designated storage platform | Contact us | Twitter
