The token crashed and almost went to zero - A brief analysis of the PancakeBunny hack

By: Kong@SlowMist Security Team

According to SlowMist Zone intelligence, the PancakeBunny project, a DeFi yield aggregator on the Binance Smart Chain, was attacked by a flash loan. The SlowMist security team immediately intervened in the analysis and shared the results in the form of a newsletter for your reference:

Attack process analysis

1. The attacker first initiated a transaction, using 0.5 WBNB and about 189 USDT to add liquidity to PancakeSwap and obtain the corresponding LP, and then pledged the LP to the VaultFlipToFlip contract of the PancakeBunny project.

2. After the LP pledge was completed, the attacker initiated another transaction. In this transaction, the attacker first borrowed a huge amount of WBNB tokens from multiple liquidity pools of PancakeSwap, and borrowed a certain amount of USDT tokens from the flash loan module of the Fortube project. Then, all the borrowed USDT tokens and part of the WBNB tokens were used to add liquidity to the WBNB-USDT pool of PancakeSwap, and the obtained LP was left in the WBNB-USDT pool.

3. Since the attacker has already pledged in the VaultFlipToFlip contract in step 1, the attacker directly calls the getReward function of the VaultFlipToFlip contract after adding liquidity to obtain the BUNNY token reward and retrieve the previously pledged liquidity.

4. When performing the getReward operation, it will call the mintForV2 function of the BunnyMinterV2 contract to mint BUNNY token rewards for the caller.

5. In the mintForV2 operation, it will first transfer a certain amount (performanceFee) of LP to the WBNB-USDT pool to remove liquidity. However, since the attacker left a large amount of LP in the pool in step 2, the BunnyMinterV2 contract will receive a large amount of WBNB tokens and USDT tokens.

6. After the liquidity is removed, the zapInToken function of the zapBSC contract will be called to transfer the WBNB and USDT tokens received in step 5 into the zapBSC contract respectively.

7. In the zapInToken operation, the transferred USDT will be exchanged for WBNB in ​​PancakeSwap's WBNB-USDT pool. Then half of the WBNB in ​​the contract will be exchanged for BUNNY tokens in PancakeSwap's WBNB-BUNNY pool, and the obtained BUNNY tokens and the remaining WBNB tokens will be added to the WBNB-BUNNY pool to add liquidity to obtain LP, and this LP will be transferred to the mintForV2 contract. Due to the unexpected large amount of WBNB received in step 5 and the operation of exchanging WBNB for BUNNY tokens, the amount of WBNB in ​​the WBNB-BUNNY pool will increase significantly.

8. After the zapInToken operation is completed, the number of WBNB-BUNNY LPs currently received by the BunnyMinterV2 contract will be calculated and returned to mintForV2. The valueOfAsset function of the PriceCalculatorBSCV1 contract will then be called to calculate the value of these LPs, where the calculated value will be settled in BNB (i.e. how many BNBs a single LP is worth).

9. In the valueOfAsset calculation, the real-time amount of WBNB in ​​the WBNB-BUNNY pool is multiplied by 2 and then divided by the total number of WBNB-BUNNY LPs to calculate the value of a single LP (valueInBNB). However, after step 7, we can find that the unexpected amount of WBNB in ​​the WBNB-BUNNY pool has increased significantly, which results in the calculation of the value of a single LP making its price relative to BNB very high.

10. Then in mintForV2, the contract will use the LP value calculated in step 9 to calculate how many BUNNY tokens need to be minted for the attacker through the amountBunnyToMint function. However, due to the defects in the price calculation method, the price of LP was maliciously manipulated and raised by the attacker, which resulted in the BunnyMinterV2 contract eventually minting a large number of BUNNY tokens (about 6.97 million) for the attacker.

11. After getting the BUNNY tokens, the attacker sold them in batches into WBNB and USDT to repay the flash loan. After completing the entire attack, he took the money and left.

Summarize

This is a typical attack that uses flash loans to manipulate prices. The key point is that there is a flaw in the price calculation of WBNB-BUNNY LP, and the amount of BUNNY minted by the BunnyMinterV2 contract depends on this flawed LP price calculation method. Ultimately, the attacker used flash loans to manipulate the WBNB-BUNNY pool, thereby raising the price of LP, causing the BunnyMinterV2 contract to mint a large number of BUNNY tokens for the attacker.