PancakeBunny Suffers Flash Loan Attack

The attack on Binance Smart Chain (BSC)-based DeFi projects continue, with the latest victim being one of the largest DeFi players on BSC, PancakeBunny.

According to PancakeBunny’s Twitter, an unknown hacker used a flash loan attack to borrow a “huge amount” of BNB tokens from PancakeSwap, which he then used to manipulate the price of USDT/BNB and BUNNY/BNB vaults. After acquiring a large amount of BUNNY tokens, the attacker then dumped them all on the market, and paid his flash loan back. PancakeBunny said on Twitter:

While the project did state that there was no smart contract hack and no vaults were compromised, the unknown attacker was still able to get away with almost 700,000 BUNNY tokens and 114,000 BNB tokens, which at the time were worth around $200 million. Unsurprisingly, the price of BUNNY has suffered tremendously in the last hours, with it trading around the $170 mark at the time of the hack, and now exchanging hands for almost $30.

PancakeBunny is the third BSC-based DeFi project to suffer an exploit in the past 30 days. At the start of May, BSC-based liquidity platform Spartan Protocol lost more than $30 million in an exploit. Similarly to PancakeBunny, the attacker used a flash loan — and a “flawed liquidity share calculation” — to inflate the project’s SPARTA/WBNB pool, and then claimed a large amount of its underlying assets.

A week before that, another attacker exploited a bug in Uranium Finance’s V2.1 migration event, enabling him to steal more than $50 million in crypto. This marked the second attack on Uranium Finance, with the DeFi project loosing around $1.3 million worth of BNB and BUSD just 20 days prior.