As you know, PancakeBunny was hacked on May 19th at 11PM UTC, 5 hours before ApeRocket’s IAO.
This event was a real shock to the DeFi world, as it is the first time that a platform as big as PancakeBunny is victim of such an attack.
Since our platform is relatively close to Bunny’s in terms of structure, we decided to postpone the IAO in order not to take any risks. Indeed, even if it is not said that such a scenario will happen again, the security of our users comes first, and we had to be 100% sure that you are not at risk by using our platform.
Thus, we have detected and evaluated the origin of the problem and we have been able to take all the necessary measures to avoid any incident. We did not want to rush things, so we waited to learn more about this event before actively seeking a solution to the problem. It turned out that PancakeBunny has been victim of a flash loan attack. This attack was possible because of a vulnerability in the valueOfAsset function of PancakeBunny’s PriceCalculatorBSC contract.
In order to understand what was put in place, here is a small summary of what happened and what that day:
On Wednesday, May 19th, around 23:00 UTC a hack managed to manipulate the different LPs of the platform.
The operation took place in several parts:
1) The exploiter added a small number of assets to the Bunny USDT-WBNB Vault.
2) He borrowed 2.3M BNB ($704M) from seven PancakeSwap pools and 2.9M USDT from ForTube Bank using flash loans.
3) The hacker added 7.7k BNB and 2.9M USDT liquidity to the USDT-WBNB pool on PancakeSwap while leaving LP tokens in this pool.
4) Then he swapped 2.3M BNB to USDT through this pool.
5) Once everything was set, he minted 7M BUNNY ($1B+) using assets from the first step, but because of the extra LP tokens in the PancakeSwap pool, Bunny Finance believed that the exploiter added a large amount of BNB.
6) Right after, the exploiter sold 4.8M minted BUNNY for 2.3M WBNB and 2.9M USDT, then started to repay flash loans.
7) Finally, he has withdrawn some ETH to Ethereum through the Nerve bridge.
The reason why this exploit was possible lies in the way that PancakeBunny calculated the price of BNB in an unsecured way, which was used to mint 3 BUNNY per BNB in performance fees. Since it was manipulated through the attacker’s actions, a small performance fee represented a significant amount of BNB.
Despite the damage caused, it is worth mentioning that PancakeBunny acted in an exemplary manner, quickly taking the necessary measures to contain the hacker’s exploit and compensate the victims of the attack.
Regarding ApeRocket, we fortunately do not use the same calculation method. Indeed, we use the “Fair Asset Price” principle — highlighted by Alpha Finance — implemented with Chainlink and our own price oracle.
Thanks to Chainlink we have a range of price feeds at our disposal. For the most used pairs, like pairs including USDT, USDC and BNB, we directly retrieve the price from these feeds.
Some pairs are unavailable on Chainlink, that’s why we are using our own price oracle. We populate this oracle off-chain, with accurate prices, which avoids their manipulation.
We have chosen to develop our own oracle, rather than using a TWAP oracle. Thus, we can ensure more reliability and accuracy in the way we handle the data given the extreme volatility of the market. By using AWS, we have access to the best infrastructure possible which allows us to secure critical operations and avoid any inconveniences. Every dataflow is encrypted and works as a complex firewall to prevent our platform from intruders.
That safe approach protects us from any attempt to manipulate prices through “flash loans” or any related method. This provides both more security for investors and makes the platform more easily scalable for the future.
That’s why we can already announce a new date for the ApeRocket’s IAO, which will be hosted by ApeSwap on May 25th at 3am UTC. We hope to see many of you there as we are even more excited to show you all that we have accomplished!