PancakeBunny Suffers Flash Loan Attack

  • The attacker was able to get away with almost 700,000 BUNNY tokens and 114,000 BNB tokens, which at the time were worth around $200 million.
  • PancakeBunny is the third, and largest, BSC-based DeFi project to suffer from an exploit in the last 30 days.
Price chart going down


The attack on Binance Smart Chain (BSC)-based DeFi projects continue, with the latest victim being one of the largest DeFi players on BSC, PancakeBunny.

According to PancakeBunny’s Twitter, an unknown hacker used a flash loan attack to borrow a “huge amount” of BNB tokens from PancakeSwap, which he then used to manipulate the price of USDT/BNB and BUNNY/BNB vaults. After acquiring a large amount of BUNNY tokens, the attacker then dumped them all on the market, and paid his flash loan back. PancakeBunny said on Twitter:

While the project did state that there was no smart contract hack and no vaults were compromised, the unknown attacker was still able to get away with almost 700,000 BUNNY tokens and 114,000 BNB tokens, which at the time were worth around $200 million. Unsurprisingly, the price of BUNNY has suffered tremendously in the last hours, with it trading around the $170 mark at the time of the hack, and now exchanging hands for almost $30.

PancakeBunny is the third BSC-based DeFi project to suffer an exploit in the past 30 days. At the start of May, BSC-based liquidity platform Spartan Protocol lost more than $30 million in an exploit. Similarly to PancakeBunny, the attacker used a flash loan — and a “flawed liquidity share calculation” — to inflate the project’s SPARTA/WBNB pool, and then claimed a large amount of its underlying assets.

A week before that, another attacker exploited a bug in Uranium Finance’s V2.1 migration event, enabling him to steal more than $50 million in crypto. This marked the second attack on Uranium Finance, with the DeFi project loosing around $1.3 million worth of BNB and BUSD just 20 days prior.

Related Coverage
Beanstalk Farms Loses $182M Following Exploit
  • A flash loan allowed the attacker to obtain enough Beanstalk governance tokens to pass two proposals, enabling him to drain the protocol’s funds.
  • The malicious entity was able to steal 24,830 ETH and 36 million BEAN tokens, which were then laundered through TornadoCash.
April 18, 2022, 4:17 PM
beanstalk farms


How to Find The Best DeFi Pools For Your Assets
  • Investment opportunities in defi are innumerous, but finding the best hasn’t been an easy task thus far.
  • Yield Samurai is a decentralized finance data aggregator that helps investors find the highest-yielding pools in a few clicks.
5 Cryptoassets You Are Paid to Borrow
  • The BAT, LINK, UNI, WBTC, and ZRX pools on Compound all have a negative borrow rate for the past month.
  • The negative borrow rate is the result of Compound paying borrowers COM token rewards.