The latest victim in the wave of flash loan attacks targeting the decentralized finance (DeFi) industry is one of its largest players — PancakeBunny.
An attacker made off with around $200 million from the BSC exchange after manipulating its price. The team tweeted on May 20 to confirm that there was no smart contract hack or vault compromise but more of an “economic exploit:”
“We would like to remind the community that no vaults have been compromised. The exploit was an economic exploit that attacked the price of BUNNY, using flash loans. We repeat, no vaults have been breached.”
The attacker made off with an estimated 700,000 BUNNY tokens and 114,000 BNB worth a whopping $200 million at prices at the time.
PancakeBunny reiterated that none of the vaults had been exploited but that is of little consolation since a massive amount was stolen by other means.
It explained that the hacker used PancakeSwap to borrow a huge amount of BNB before going on to manipulate the price of USDT/BNB as well as BUNNY/BNB. The team did not mention exactly how this price manipulation occurred though no doubt it will be revealed in a full post mortem at a later stage.
Once the price had been pumped, the attacker dumped all of the BUNNY tokens he had accrued back onto the market, causing it to crash, before repaying the BNB flash loan.
Flash loans have become the weapon of choice for attackers as they allow large sums to be withdrawn, used for nefarious purposes, and repaid all within the same transaction.
The latest update from PancakeBunny stated:
“We have determined the nature of the exploit and how it occurred. Additionally, we are working on a reimbursement plan. Withdrawals and deposits will be frozen temporarily until we increase security.”
BUNNY price dumps 95%
As if things weren’t bad enough on bleeding crypto markets, the BUNNY token has collapsed in the wake of the attack.
BUNNY was trading as high as $170 before the attack according to CoinGecko, and it has now dumped around 95% to $9.30.
BNB prices have also suffered with a 25% slide on the day to $340 following a post attack dump to $300.