Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
PancakeBunny, the DeFi revenue aggregator on Binance Smart Chain (BSC), suffered a lightning loan attack and lost 114,631.5421 WBNB and 697,245.5699 BUNNY, totaling approximately US$45 million. The price of the token BUNNY crashed from 240 US dollars at around 6:35, and once fell below 2 US dollars, with the highest drop of more than 99% at one time. The official response stated that the hacker used PancakeSwap to borrow a large amount of BNB from a flash loan attack from an external developer, and then continued to manipulate the USDT/BNB and BUNNY/BNB prices to obtain a large amount of BUNNY and sell it, resulting in a flash crash of the BUNNY price. Hackers exchanged back to BNB through PancakeSwap. Attack method (per SlowMist): Flash loan attack. Reported loss: $ 45,000,000.
- chain
- bsc
- protocol
- PancakeBunny
- bug_class
- flashloan
- date_occurred
- 2021-05-20
- loss_usd
- $45,000,000
- source_id
- sm:pancakebunny::2021-05-20