SlowMist: PancakeBunny Hack Analysis

SlowMist
4 min readMay 20, 2021

--

According to the news from SlowMist Zone, PancakeBunny, the DeFi revenue aggregator on the Binance Smart Chain, suffered a flash loan attack. The SlowMist get involved immediately and share the result in a form of a newsletter for your reference.

Attack analysis

1. The attacker first initiates a transaction, uses 0.5 WBNB and about 189 USDT to add liquidity in PancakeSwap and obtains the corresponding LP, and then mortgages the LP to the VaultFlipToFlip contract of the PancakeBunny project.

2. After the LP mortgage is completed, the attacker initiates another transaction again. In this transaction, the attacker first borrows a huge amount of WBNB tokens from the multiple liquidity pools of PancakeSwap and borrows a huge amount of WBNB tokens from the Fortube project. The flash loan module lends a certain amount of USDT tokens. Then use all the borrowed USDT tokens and some WBNB tokens to add liquidity to PancakeSwap’s WBNB-USDT pool, and keep the obtained LP in the WBNB-USDT pool.

3. Since the attacker has already pledged in the VaultFlipToFlip contract in step 1, the attacker directly calls the getReward function of the VaultFlipToFlip contract after adding liquidity to obtain BUNNY token rewards and retrieve the previously mortgaged liquidity.

4. During the getReward operation, it will call the mintForV2 function of the BunnyMinterV2 contract to mint BUNNY token rewards for the caller.

5. In the mintForV2 operation, it will first transfer a certain amount of (performanceFee) LPs to the WBNB-USDT pool to remove liquidity, but because the attacker left a large number of LPs in the pool in step 2, BunnyMinterV2 The contract will receive a large amount of WBNB tokens and USDT tokens.

6. After the liquidity removal is completed, the zapInToken function of the zapBSC contract will be called to transfer the WBNB and USDT tokens received in step 5 to the zapBSC contract.

7. In the zapInToken operation, it will convert the transferred USDT into WBNB in ​​the WBNB-USDT pool of PancakeSwap. Afterwards, half of the WBNB in ​​the contract will be exchanged into BUNNY tokens in the WBNB-BUNNY pool of PancakeSwap, and the obtained BUNNY tokens and the remaining WBNB tokens will be added to the WBNB-BUNNY pool to obtain LP, and this LP will be added to the WBNB-BUNNY pool. Go to mintForV2 contract. However, due to the unexpected large amount of WBNB received in step 5 and the conversion of WBNB into BUNNY tokens, the number of WBNB in ​​the WBNB-BUNNY pool will increase significantly.

8. After completing the zapInToken operation, the number of WBNB-BUNNY LP currently received by the BunnyMinterV2 contract will be calculated and returned to mintForV2. The valueOfAsset function of the PriceCalculatorBSCV1 contract will then be called to calculate the value of these LPs, where the calculated value will be settled in BNB (that is, how many BNB is worth a single LP).

9. In the valueOfAsset calculation, it uses the real-time number of WBNB in ​​the WBNB-BUNNY pool multiplied by 2 and divided by the total number of WBNB-BUNNY LPs to calculate the value of a single LP (valueInBNB). But after step 7, we can find that the unexpected amount of WBNB in ​​the WBNB-BUNNY pool has increased significantly, which leads to a very high price relative to BNB when calculating the value of a single LP.

10. Then in mintForV2, the contract will use the LP value calculated in step 9 to calculate how many BUNNY tokens need to be minted for the attacker through the amountBunnyToMint function. However, due to the flaws in the price calculation method, the final LP price was maliciously manipulated and increased by the attacker, which resulted in the BunnyMinterV2 contract eventually minting a large number of BUNNY tokens (about 6.97 million) for the attacker.

11. After getting BUNNY tokens, the attacker sold them in batches into WBNB and USDT to return the flash loan. Take the money and leave after completing the entire attack.

Summary

This is a typical attack using flash loan operation prices. The key point is that the price calculation of WBNB-BUNNY LP is flawed, and the number of BUNNY minted by the BunnyMinterV2 contract depends on this flawed LP price calculation method, which ultimately leads the attacker to use flash loan manipulated the WBNB-BUNNY pool to raise the price of LP, making the BunnyMinterV2 contract cast a large amount of BUNNY tokens for the attacker.

The SlowMist security team recommends that when it comes to such LP price calculations, a credible delayed price feed oracle can be used to calculate or refer to the LP price calculation method previously studied by the Alpha Finance team to avoid the recurrence of malicious manipulation. .

About us

SlowMist Technology is a company focused on blockchain ecosystem security. It has served many top or well-known projects around the world through “the security solution that integrated the threat discovery and threat defense while tailored to local conditions” and has thousands of commercial customers. SlowMist’s security solutions include security audit, threat intelligence (BTI), bug bounty, defense deployment, security consultant, and other services. SlowMist is equipped with cryptocurrency anti-money laundering (AML), false top-up scanner, vulnerability scanner, and vulnerability monitoring (Vulpush), hacked project archives (SlowMist Hacked), smart contract firewall (FireWall.X), Safe Staking and other SAAS security products. It has been widely concerned and recognized by the industry.

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet