PancakeBunny Incident: Root Cause Analysis



The Hack Walk-through

  • Step 1: Take 8 different flashloans, including 1.05M WBNB from WBNB+CAKE pool, 522.52K WBNB from WBNB+BUSD pool, 210.16K WBNB from WBNB+ETH pool, 133.50K WBNB from WBNB+BTCB pool, 241.02K WBNB from WBNB+SAFEMOON pool, 98.519K WBNB from WBNB+BELT pool, 66.29K WBNB from WBNB+DOT pool, and 2.96M USDT from Fortube Bank. The first seven flashloans are taken from various PancakeSwap pools while the last comes from Fortube Bank.
  • Step 2: Deposit 2.96M USDT and 7886 WBNB into WBNB+BUSDT pool as liquidity and mint in return 144.45K LP tokens.
  • Step 3: Swap 2.32M WBNB for 3.83M BUSDT via the above WBNB+BUSDT pool so that the pool has a sufficiently large WBNB reserve, which is used to influence the valuation of the pool tokens.
  • Step 4: Call getReward() to claim rewards from VaultFlipToFlip. With the higher LP token valuation, the attacker is able to claim reward of 6.97M BUNNY (valued about $1+ B). Note the dev team gets separate 1.05M BUNNY.
  • Step 5: Return the flashloans in Step 1 back to PancakeSwap pools and Fortube Bank.

The Stolen Funds

About Us




A Blockchain Security Company (

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Navigate the Digital Age of Credit Cards Safely

Really? Chinese never care about privacy?

Cloudways Vs Godaddy — How Do They Compare?

Minswap proposes batch mining to ‘decentralize whole Cardano network’

The Utilities of GI Genesis NFT (GIGN)

{UPDATE} Uno Classico Cartas Hack Free Resources Generator

{UPDATE} Massive Jackpot Casino Hack Free Resources Generator

How to monitor for security events in an infrastructure?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


A Blockchain Security Company (

More from Medium

Enjoy free Contract Audit from HashEx

How Big Of An Issue Is Game Cyber Security?

🗣Community question deep dive!

RQBERT Attack Report & Compensation Plan