PancakeBunny's `VaultFlipToFlip` strategy computed BUNNY mint rewards using `getBunnyPrice()`, which read the spot price of the WBNB/BUNNY PancakeSwap pair as `WBNB.balanceOf(pair) / BUNNY_AMOUNT`. The attacker took a ~$700M WBNB flashloan from PancakeSwap, deposited WBNB/BUNNY LP into the vault, then manipulated the WBNB-BUNNY reserves by pumping WBNB into the pair before calling `getReward()`. Because BUNNY emissions scale linearly with the dollar value of staked LP measured via the manipulated spot price, the vault minted ~6.97M BUNNY to the attacker, which was instantly dumped against the same pair, crashing BUNNY ~99%. The bug is a single-block spot-price oracle on a manipulable on-chain reserve with no TWAP, no Chainlink reference, no liquidity-floor check — combined with mint authority that scales with the queried price.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Classification: Ecosystem. Technique: Flashloan Price Oracle Attack. Target type: DeFi Protocol. Affected chains: BSC. Implementation language: Solidity.
- chain
- bsc
- protocol
- Bunny
- bug_class
- oracle
- date_occurred
- 2021-05-19
- loss_usd
- $45,000,000
- classification
- Ecosystem
- technique
- Flashloan Price Oracle Attack
- target_type
- DeFi Protocol
- language
- Solidity
- source_id
- dl:254