Popular Binance Smart Chain-based decentralized finance protocol PancakeBunny has suffered a major exploit that allowed a hacker to make off with more than $200 million worth of crypto assets.
According to a series of threads posted by the PancakeBunny team in the past hour, the protocol was subject to a flash loan attack from an external actor. The attacker borrowed “a huge amount” of Binance Coin (BNB) before manipulating the asset’s price and dumping it on the platform’s BUNNY/BNB market.
4⃣ The hacker then dumped all the bunny in the market, causing the bunny price to plummet
— pancakebunny.finance (@PancakeBunnyFin) May 20, 2021
The attack saw the price of BUNNY quickly pumped from $150 to $240 before plummeting to $0 in just 30 minutes. After consolidating below $10 for roughly two hours, BUNNY last changed hands for $8.8.
BUNNY/BNB was the only pool to be drained by the hacker, with the malicious actor making off with 697,000 BUNNY and 114,000 BNB. With Binance Coin trading for roughly $296 at the time of writing, the hacker is believed to have made off with $200 million in assets.
The attacker also attached a private note containing a rabbit-themed pun to the transactions that drained the pool that reads: “ArentFlashloansEaritating.” All funds borrowed to execute the attack were returned via PancakeSwap.
As the hack wreaked havoc across one of Binance Smart Chain’s leading projects — with Bunny representing a total value locked of more than $1 billion prior to the hack — onlookers are discussing whether Binance will move to roll back the incident.
In May 2019, Binance lost more than $40 million in a major attack, with CEO Changpeng Zhao suggesting the losses could be reversed by convening with miners to roll back transactions from the Bitcoin blockchain.
PancakeBunny is the latest DeFi protocol to suffer a flash loan attack, with the exploit increasingly manifesting as a scourge on the decentralized finance sector.
In April, crypto data aggregator Messari reported that flash loans had become the most popular attack vector in the DeFi ecosystem, accounting for roughly half of the $285 million worth of DeFi exploits identified since 2019.