Hackers stole $1.9 million from the DeFi protocol PancakeHunny

On October 20, the decentralized protocol PancakeHunny was attacked using a flash loan and lost 388 BNB and 1.7 million TUSD (approximately $1.9 million). The first to notice the attack were researchers from blockchain-security firm PeckShield Inc.

According to them, the hacker executed 32 transactions to mint a huge amount of HUNNY tokens.

«The hack became possible due to a profit-inflation bug, which converts a relatively small amount of farmed ALPACA into a large number of TUSD for staking. These converted TUSD are then counted as profit and used to create a huge number of HUNNY coins», the experts explained.

Subsequently the hacker routed the funds through mixers Typhoon Network and Tornado Cash, as well as the protocols Anyswap, Celer Network and Synapse Protocol. In the end they were swapped for Ethereum.

As a result of the attack, the price of the HUNNY token collapsed by more than 60% and, at the time of writing, stood at $0.1179.

Later, PancakeHunny’s developers confirmed the attack. They assured that all user funds are safe, and that the exploit affected only the price of HUNNY.

According to them, the hacker created a smart contract for the HUNNY TUSD treasury exploit, which was executed 26 times.

They outlined the attacker’s sequence of steps. First, he obtained a flash loan from Cream Finance amounting to 53.25 BTC. He exchanged these funds for 2,717,107 TUSD borrowed from the Venus protocol.

Next, the hacker manipulated the price of the BNB/TUSD pool on PancakeSwap and used 50 different wallets to deposit 38,250 TUSD into the HUNNY TUSD treasury. After that, he bought back 2,842.16 TUSD and issued 12,020.40 HUNNY, which were then sold for 7.78 WBNB.

The PancakeHunny developers halted the process of creating the TUSD Vault token.

«We will route liquidity to pools with higher liquidity to prevent the effects of price manipulation», they added.

Earlier in August, the DeFi protocol Cream Finance was subjected to an attack using a flash loan. The damage amounted to 462,079,976 AMP and 2,804 ETH (more than $18 million).

Weeks later the project managed to recover 5,152.6 ETH (about $16.7 million at the time), identifying the hacker with help from the community. Meanwhile, the attacker received 10% of the amount as a bounty for the discovered bug.

Read ForkLog Bitcoin news on our Telegram — cryptocurrency news, prices and analysis.