Binance Smart Chain DeFi protocol PancakeHunny suffers flash loan attack

Binance Smart Chain DeFi protocol PancakeHunny suffers flash loan attack

As the users argue “what’s better,” Ethereum or Binance Smart Chain, the latter saw another decentralized protocol being exploited. PancakeHunny on BSC was attacked by a flashloan and no, this wasn’t a first for the protocol.

Blockchain security and data analytics company Peckshield Inc. announced the attack on Twitter.

#FlashLoanAlert https://t.co/up2o7NQLtS— PeckShield Inc. (@peckshield) October 20, 2021

The last time that this protocol was exploited, was in June, wherein the team had noted the creation of a smart contract to exploit the Hunny Minter Smart Contract. The contract was subsequently executed 91 times, as per the team.

The team took a long time to respond to the hack this time but assured the users that their funds were safe. The team added in a preliminary report,

“On 20 October 2021, at 0920 UTC. A smart contract was created to exploit the Hunny TUSD vault. The Contract was subsequently executed 26 times.”

PeckShield provided some details about the same noting,

“@PancakeHunny was exploited in a flurry of 32 txs (one hack tx: https://bscscan.com/tx/0x1b698231965b72f64d55c561634600b087154f71bc73fc775622a45112a94a77) to mint huge amount of $HUNNY, leading to the gain of 388 BNB and 1.7M TUSD (with roughly $1.9M) for the hacker.”

According to the agency, this hack was possible due to a profit inflation bug, which converts the relatively small amount of harvested ALPACA, to a large amount of TUSD for staking. PeckShield added,

“These converted TUSDs are then counted as profit, now inflated to mint large amount of $HUNNY!”

Actions taken by the team

The PancakeHunny team has stopped the minting process for the TUSD vault while assuring that funds in Hives were all SAFE. The exploit did not affect other Hives and Vaults but the price of HUNNY.

They added that the issue has been identified and the team will change its rooting to higher liquidity pools to prevent the aftereffects of price manipulation of LP pools.

Source