Innovation has been the defining characteristic of the DeFi and the Digital Assets domain. On one hand, developers and crypto enthusiasts have leaned on innovation to create value. Whereas, on the other hand, hackers and scammers have also resorted to the same innovation to erode value. The recent tool that is being used by scammers is the Flash Loan attack.
According to SlowMist – a blockchain ecosystem security analysis company, there have four incidents of Flash Loan attacks in May. PancakeBunny, Bogged Finance, AutoShark Finance, and MerlinLabs were the targets with cumulative losses estimated somewhere around USD 48 million and 200 ETH.
What is a Flash Loan Attack
Flash Loan exploitation is a cheap and effortless form of attack that targets the DeFi ecosystem. It is important to understand that these attacks use the Uncollateralized lending feature coupled with the concept of Arbitrage. Arbitrage is a low-risk method of earning profits from price differences of securities in different marketplaces. For instance, if a token is trading on two separate exchanges at different prices, an arbitrageur can buy it on the exchange with a lower price and sell it on the other exchange at a higher price.
Certain blockchain protocols allow users to borrow without pledging any security as collateral. Such uncollateralized loans get enforced automatically on the blockchain at the end of the loan tenure. A Flash Loan Attacker uses this feature while simultaneously creating a false arbitrage situation through market manipulation. Such attacks heavily rely on the compromised smart contract protocol that settles the lending transactions at manipulated market rates.
Attack on PancakeBunny
On 20 May 2021, CoinDesk reported that BUNNY tokens nosedived 95% after a flash loan attack. BUNNY is a native token of the yield-farming aggregator PancakeBunny, which operates on the Binance Smart Chain. PancakeBunny’s official Twitter account posted a summary of the series of events in a tweet, clarifying that an in-depth analysis will soon follow.
The attacker used the decentralized exchange PancakeSwap to initiate a sizeable borrowing of Binance Coins (BNB). After the first step, the attack shifted towards manipulating the price of BNB/BUNNY and USDT/BNB. As a result, the attacker managed to receive much more BUNNY tokens from the flash loan. The final stage involved dumping these BUNNY tokens in the open market and paying off the loaned BNB on PancakeSwap. Due to the high volume of BUNNY being dumped, the price for the token fell to approximately USD 6. To put it in perspective, BUNNY was trading above USD 400 at the beginning of the month, as per CoinMarketCap.
The CoinDesk reports hints that the attacker might have generated USD 3 million in profits. Whereas, PancakeBunny suffered a loss of approximately 115,000 WBNB and roughly 700,000 BUNNY, as per SlowMist. SlowMist estimates the total value at USD 45 million.