How Lossless could mitigate major hacks — The PancakeBunny case study
The DeFi market is still very new, which is why it continues to experience some growing pains. One of these pains, and also the most damaging one, are the constant hacks that exploit its vulnerabilities and lack of regulation.
The hackers are motivated by the sheer amount of money constantly passing hands here. According to DeFi Pulse, the total value locked (TVL) in the market has been hitting all-time highs almost every day since the second quarter of 2020 (with some recent oscillations). In just the first two months of 2021, the TVL increased from $16 billion to a colossal $40 billion.
However, many cryptocurrencies have been experiencing price drops, leading some people to hope that the hackers might lose interest and stop attacking them. Unfortunately, this didn’t happen. Instead, it’s been business as usual for the hackers who have been treating the market as a buffet, helping themselves to its assets.
Another day, another hack
In mid-May, hackers drained $18 million in an attack on bEarn Fi, the cross-chain auto yield farming protocol that uses the Binance Smart Chain (BSC) and Ethereum blockchain. They took advantage of a bug in the internal withdraw logic of bEarn Fi’s BvaultsBank contract.
Around the same time, the FinNexus protocol was attacked by a hacker who used malware to compromise the hardware powering it. The multi-chain protocol bridging decentralized and traditional finance was the victim of a minting hack in which the perpetrator managed to mint over about $7.6 million worth of FNX token and sell it on centralized (CEXs) and decentralized (DEXs) exchanges. This led to a massive price dump — by 90%.
However, the worst attack in the past month was on PancakeBunny, which was hit by a $200 million flash loan exploit. As a result, the new Binance Smart Chain-native DeFi protocol tanked by 96%.
Had these tokens been protected by the Lossless hack mitigation protocol, we wouldn’t even be talking about all the damage caused by these attacks. Lossless would’ve hindered these hacks, helped token holders stop the nefarious activity as it’s happening, and recovered the stolen funds.
Let’s take a closer look at the case of PancakeBunny to see how.
What happened to PancakeBunny?
PancakeBunny was a DeFi yield aggregator used for PancakeSwap exchange, allowing its users to compound their yield regardless of the stake size by using the so-called “bunny farms”. PancakeBunny is similar to Yearn on the Ethereum chain and PancakeSwap supports flash loans by default as part of the UniSwap v2 protocol.
Before the hack took place, PancakeBunny’s smart contract was implemented on the Binance Smart Chain with a total value locked of more than $1 billion. The hack followed a somewhat typical flash loan scheme.
In short, the attacker borrowed a large sum of Binance Coin (BNB) through PancakeSwap. They then manipulated the price of USDT/BNB and BUNNY/BNB before dumping them on the market, causing the BUNNY price to plummet.
As a result, the hacker ended up getting a huge amount of wBNB and the newly minted BUNNY tokens, which they promptly exchanged to anyETH on the 1inch DEX. The anyETH tokens were then exchanged to ETH coins via Nerve Bridge.
How Lossless could’ve helped
Could this situation have been prevented if BUNNY tokens had a capable and efficient hack mitigation tool, such as the Lossless wrapper, in place? We certainly think so and here’s how:
First of all, the Lossless smart contract would’ve delayed moving these wrapped BUNNY tokens onto the 1inch DEX. During the delay, both white hat hackers and hack-detection bots participating in the Lossless ecosystem would have identified the hack. Then, they would have used the Lossless token staking to freeze the stolen BUNNY tokens.
Subsequently, the Lossless committee would have reviewed the situation and made a decision to permanently freeze the stolen BUNNY tokens. This way, they would have made sure the hacker couldn’t benefit from them and that the BUNNY token holders do not suffer any undue losses.
Finally, the Lossless ecosystem would be rewarded by getting 7% of the recovered BUNNY tokens. In this case, this would be around $11 million.
This 7% from the stopped hack transaction would be distributed in the ecosystem as following:
- 2% will be paid out to the finder of the hack,
- 2% is distributed for LSS token holders that stake,
- 2% is distributed for the Lossless Committee,
- 1% is retained by the Lossless company.
The ins and outs of the Lossless hack mitigation process
Lossless will provide token creators with a piece of code that they will insert into their tokens. It’s precisely this code that will allow the Lossless decision-making body to freeze any fraudulent transactions, identified through a set of fraud identification parameters.
The token creators that choose to participate will receive out-of-the-box tools to reinforce their tokens with the Lossless hack protection. These tools will include:
- interface for token relaunch swap,
- management of token relaunch with CEXs,
- airdrops of relaunched tokens for existing holders.
The tokens that are equipped with the Lossless hack defense will be called, for instance, L-ETH (Lossless wrapped ETH) or L-BTC (Lossless wrapped BTC).
In the meantime, the participating white hat hackers and community-created hack-spotting bots will keep their eye out for:
- on-chain events (smart contracts emitting events on certain actions),
- unusual token activities (like liquidity pulls and substantial transactions from teams’ wallets without prior announcement),
- third-party reports (such as about exchange security leaks and the like).
Once they identify a hack, a finder will freeze a suspicious address for a certain period of time. To do that, they’ll have to stake a specific amount of their LSS tokens.
Then, the Lossless decision-making body will review the frozen address to decide if the hack is valid or not. This body will comprise the Lossless Committee, the Lossless company, and the token creator.
If the hack is proven valid, the finder will get a fee, and further steps will be taken. These include freezing the perpetrating address for another 14 days, enacting a committee proposal for permanent address freezing and reversal of the transaction, as well as evaluating the code and contacting the contract owner.
It’s too late for PancakeBunny but it doesn’t have to be for you. Come join us and contribute to a better crypto world by visiting our:
