There have been two back-to-back flash loan attacks in a short period of time stemming from two unique Binance Smart Chain decentralized finance (defi) projects. Last Wednesday, the yield-farming platform Pancakebunny lost close to $3 million in a flash loan attack according to reports. The following Sunday, Bogged Finance saw $3 million exploited from a flash loan attack.
Pancakebunny Gets Hit by a Flash Loan Attack – $3 Million Drained
Ever since hackers leveraged flash loans to attack the defi margin trading protocol Bzx, flash loans have been a common attack in the defi world. Flash loans are a type of scheme that allows the issuance of loans within a single transaction or attack. Besides average people leveraging the flash loan construct for fun, malicious actors have found attack parameters in order to drain funds from defi projects.
This past week between a five-day period, there were two flash loan attacks that saw around $6 million in total taken from both projects combined. On May 19, the defi project Pancakebunny leveraged its Twitter account to announce the news.
Attention Bunny Fam— pancakebunny.finance (@PancakeBunnyFin) May 20, 2021
Our project has suffered a flash loan attack from an outside exploiter.
We will be posting a post mortem, in depth analysis, but for the time being we would like to update the community as to how this happened.
In a play-by-play recap, Pancakebunny said the “hacker used Pancakeswap to borrow a huge amount of BNB… then went on to [manipulate] the price of USDT/BNB as well as BUNNY/BNB. The hacker ended up getting a huge amount of BUNNY through this flash loan… The hacker then dumped all the bunny in the market, causing the bunny price to plummet. The hacker paid back the BNB through Pancakeswap.”
Bogged Finance Hacker Drains $3 Million of the Project’s $6 Million in Liquidity Using a ‘Complex Flash Loan Attack’
Then this weekend another Binance Smart Chain defi project called Bogged Finance took a flash loan beating for $3 million as well. The defi project Bogged Finance’s post mortem says: “BOG token was exploited by an unknown attacker who was able to drain $3m of the $6m liquidity using a complex Flash-Loan based attack. The attack was mitigated within 15 blocks of it starting to prevent a full drain of the liquidity pools.”
Bogged Finance said that it planned to force migrate the contract by using the same exploit the attacker used to remove “illegitimately obtained tokens.” The project’s team members added: “Everyone will receive their LP tokens and $BOG on a new contract over the coming hours.” An update on May 24, says that the project’s migration is taking longer than expected.
“The Bogged Finance Token Migration is taking longer than expected,” Bogged Finance explains. “The funds are being held securely in this wallet, until redeployment is complete. We are excited to launch the new version of the BOG Contract with over 7.5 million tokens burned. We will announce a countdown for the relaunch before launch.”
Both BUNNY and BOG markets suffered significantly after these flash loan attacks. BOG slipped from $1.80 per token to $0.0003 after the flash loan attack was revealed. BUNNY markets saw a loss of 95% after the flash loan attack took place on Wednesday.