PancakeHunny Post Mortem Analysis
Dear PancakeHunny Community,
As mentioned in the medium post earlier, there was an incident that happened in PancakeHunny.
This article includes a detailed analysis of the incident in its entirety to ascertain the nature of the attack and prevent any similar exploits in the future.
No hives (vaults) were breached. All funds are safe. Our hives are auto-compounding as per usual, with their rewards being in the native token only.
Read the preliminary report for more basic information.
Here’s a report and a detailed timeline on what the exploiter did:
Exploiter’s wallet address: 0x0ef50be29c82ecf2158ec1886dc6692a2b0db411
Total exploited transactions: 100
Total BNB gained by the attacker: 216 BNB
3rd June 2021
at 01:46 UTC — Attacker deployed a contract and added 0.5 BNB from an external wallet address: 0x6be5a267b04e9f24cdc1824fd38d63c436be91ab
At 02:12 UTC — The attack begins.
- WBNB was swapped to CAKE at PancakeSwap
- The attacker sent CAKE to our HUNNY Minter contract
- The attacker staked on CAKE-BNB Hive in PancakeHunny
- HUNNY Minter was “tricked” to mint more HUNNY tokens
- The attacker then un-staked from CAKE-BNB Hive to receive the HUNNY tokens from the Minter
- The attacker then sold the HUNNY tokens on PancakeSwap
At 02:42 UTC — Attacker converted all remaining wBNB into ETH and was sent to an external wallet address: 0x2E5Ea63d69b2ed33C869eED58433f0F799E1F7AA
End of attack.
What immediate actions did we take?
At 02:42 UTC — We have halted our Minter to protect our users from any further potential issues that could arise. We then immediately started to review and enhance our smart contracts.
What specific services were affected?
All of our Hives are unaffected. Since the minter was switched off, we were unable to allocate HUNNY profits to the respective Hives. This has since been resumed as of 10:40 UTC.
Due to the nature of the attack, users who have staked in our HUNNY Hive should observe an increase in the profit as well as an increase in the unlocked HUNNY amount. This is because our Minter also distributed more profits to the HUNNY Hive. In short, other than a price dip, our users are actually benefitting from the higher profits (wBNB) gained from Hunny Hive.
Our Way Forward
We have since changed the logic behind the HUNNY Minter, whereby it will only mint HUNNY based on the profits received from vaults. We will continue to implement our anti-whale feature to protect our Hives until further notice. Our enhanced codes have also been sent to CertiK for audit. We will announce the result of the audit upon completion. Team PancakeHunny will continue to utilise our earned fees to initiate a buyback and burning of HUNNY tokens until HUNNY returns to the price before the attack.
Team PancakeHunny is committed to building and delivering our road map. In a week’s time, our swap function will go live, our farms will be expanded to offer more variety for our users and by the end of the month, HunnyPoker and HunnyLottery will go live as well. We are also working on delivering HunnyMall, featuring our limited HunnyBunnies NFTs and Cross-Chain farms. We will bring you only the best that we can offer.
Although this incident happens 2 days after our listing on PancakeSwap, all our hives are intact and unaffected. We’ve taken the chance to restructure our internal processes. This has made us stronger and more resilient than ever before. Again, we would like to emphasize that all funds are SAFU. Although with a price dip, HUNNY is still priced above our initial launch price, and with our very much anticipated developments ahead, we are ready to soar with you.
We are committed to providing a great DeFi platform with integrations of Poker, Lottery, NFT, and further gamification. We are here to restore the community’s confidence in PancakeHunny and create a better user experience for all.
Last but not least, we would like to thank our community for the great support and encouragement thus far.
Keep Hodling #NoHunnyNoMoney #NHNM