PancakeBunny (Polygon deployment — polyBUNNY): Flash Loan + Reward Minting Manipulation (Performance Fee Inflation)
PancakeBunny's Polygon deployment lost $2.4M to the exact same flash loan / reward-minting exploit that had already drained their BSC protocol two months earlier — and had been publicly demonstrated against a direct fork just 48 hours before.
Summary #
PancakeBunny (Polygon deployment — polyBUNNY) suffered a Yield Aggregator on 2021-07-18, resulting in a loss of approximately $2M.
What happened #
PancakeBunny's Polygon deployment lost $2.4M to the exact same flash loan / reward-minting exploit that had already drained their BSC protocol two months earlier — and had been publicly demonstrated against a direct fork just 48 hours before.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Polygon is a new chain deployment]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — large AAVE flash loan]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Partially anonymous]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Polygon deploy is essentially same codebase as BSC]