In brief

  • A DeFi protocol called PancakeBunny was exploited last night.
  • The attacker made off with $45 million.

One of the appeals of cryptocurrency is that it’s mostly transparent. Ledgers keep a record of every transaction on a given blockchain, and so-called “block explorers” like Etherscan and BSCscan let you peruse the archives with a handy search function. Criminals have ways of obfuscating the paper trail—but when a large amount of money suddenly changes hands, people notice.

Last night, PancakeBunny—a DeFi protocol that operates on the Binance Smart Chain (BSC) network—was exploited to the tune of $45 million. And thanks to the magic of distributed ledgers, there’s a record of exactly how it happened.

Trading platforms under the heading of DeFi (decentralized finance) are non-custodial, which means the smart contracts themselves (chunks of code, essentially) are moving your money around, rather than bankers or investment managers. The algorithms decide the allocations. There’s now nearly $70 billion entrusted to these systems on the Ethereum network alone, according to the blockchain data site DeFi Pulse. There’s another $30 billion locked up on the Binance Smart Chain, per the BSC metrics site Defistation.

Like most things in crypto, PancakeBunny also has a governance token, BUNNY, which was trading at around $145 until the exploit.

Since DeFi protocols like PancakeBunny don’t deal with banks, they incentivize liquidity with dedicated LP tokens. Anyone can pour money into a DeFi service and become a liquidity provider. The more money you put in, the more LP tokens you get. These are valuable in and of themselves, but they can also be used to claim rewards.

The price of these tokens is controlled in part by an algorithm known as an “automated market maker,” or AMM. The PancakeBunny exploiter was able to manipulate the AMM with a series of eight flash loans (you can see those loans here, on BSCScan), sending the price up artificially. As an analysis from the blockchain data company PeckShield points out, the attacker then used a function called “getReward()” to claim an outsize reward: 6,790,000 $BUNNY, or over $1 billion at yesterday’s prices. BSCScan shows that after dumping the tokens and paying back the flash loans, the exploiter came away with $45 million.

Rather than stealing tokens from other DeFi users, the attacker minted new ones. But it’s still a net negative for $BUNNY holders: thanks to the disruption, the price crashed to the $20 range last night.

In a blog post, the PancakeBunny developers said they plan to “compensate Original Holders for the difference between the market cap at the time of the exploit and the current retained value of $39M (the Losses) by issuing a new token, pBUNNY, and by creating a Compensation Pool.”

DeFi platforms tend to be extremely risky investments. (In the world of fiat money, there are consumer protection laws that aim to mitigate fraud—crypto is much less strictly regulated). According to recent data, at least $156 million was stolen in DeFi-related hacks in the first four months of 2021; that’s up from an estimated $129 million in all of 2020.