defirisk.co
rubric v1.7.0

PancakeBunny: Flash loan + spot price manipulation → inflated LP token valuation → excess BUNNY minting

PancakeBunny lost $45M when an attacker used 8 coordinated flash loans to inflate the spot price of LP tokens, minting 6.97M BUNNY tokens as fraudulent rewards before dumping them and crashing BUNNY 96%.

Occurred 2021-05-19 Loss $45M Status closed

Summary #

PancakeBunny suffered a Yield Aggregator / Vault on 2021-05-19, resulting in a loss of approximately $45M.

What happened #

PancakeBunny lost $45M when an attacker used 8 coordinated flash loans to inflate the spot price of LP tokens, minting 6.97M BUNNY tokens as fraudulent rewards before dumping them and crashing BUNNY 96%.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N — Haechi audited the original contracts; the team upgraded to new contracts (VaultFlipToFlip) without a new audit. Haechi's post-incident ...] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N — Haechi audited the original contracts; the team upgraded to new contracts (VaultFlipToFlip) without a new audit. Haechi's post-incident ...] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — the exploited vault code was a post-audit upgrade]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — VaultFlipToFlip was a new upgrade not audited by Haechi] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — VaultFlipToFlip was a new upgrade not audited by Haechi] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || (+1 more matches)
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — WBNB/BUSDT LP token valuation would have shown extreme anomaly during the swap manipulation window]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 8 simultaneous flash loans from different sources is highly anomalous]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — BSC yield aggregator forking concepts from Yearn and Bunny-style vaults]
  • RD-F-139 — causal : ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — VaultFlipToFlip was a new upgrade not audited by Haechi]