BSC Flash Loan Attack

A collection of assaults compromised a number of Binance Sensible Chain (BSC) initiatives in Might. Following PancakeBunny, its three forks initiatives — AutoShark, Merlin Labs, and PancakeHunny — had been additionally attacked utilizing comparable methods. PancakeBunny suffered the costliest assault of the 4, which noticed almost $45M in whole damages. On this article, Dr. Chiachih Wu, Head of the Amber Group Blockchain Safety Workforce, elaborates on the small print behind the assaults on the three copycats.


AutoShark was attacked 5 days after PancakeBunny, adopted by Merlin Labs and PancakeHunny, respectively. The next is an evaluation of the issues and attainable assault methods for these three forked initiatives.

Within the SharkMinter.mintFor() operate, the quantity of rewarding SHARK tokens to be minted (i.e., mintShark) is derived from sharkBNBAmount computed by tokenToSharkBNB() in line 1494. Nevertheless, tokenToSharkBNB() references the present steadiness of flip, which makes it a susceptible level. One may assume that the quantity of tokens acquired in line 1492 is the same as the quantity of the flip steadiness. Nonetheless, a foul actor may manipulate the flip steadiness just by sending in some flip tokens proper earlier than the getReward() name and not directly breaking the logic of tokenToSharkBNB().

Within the underlying implementation of tokenToSharkBNB() , there’s one other assault floor. As proven within the above code snippet, _flipToSharkBNBFlip() removes liquidity from ApeSwap (line 1243) or PantherSwap (line 1262) and converts the LP tokens into SHARK+WBNB. Afterward, the generateFlipToken() is invoked to transform SHARK+WBNB into SHARK-BNB LP tokens.

Inside generateFlipToken() , the present SHARK and WBNB balances of SharkMinter (amountADesired, amountBDesired) are used to generated LP tokens and the quantity of LP tokens are returned to mintFor() as sharkBNBAmount. Primarily based on that, the unhealthy actor may switch SHARK+WBNB into SharkMinter to govern the quantity of SHARK tokens to be minted as properly.

The loophole in PancakeHunny is similar to that present in AutoShark, in that the unhealthy actor can manipulate HUNNY reward minting with HUNNY and WBNB tokens.

In comparison with AutoShark and PancakeHunny, Merlin Labs’ _getReward() has a extra apparent vulnerability.

The code snippet above exhibits that the performanceFee may very well be manipulated by the steadiness of CAKE, which not directly impacts the MERL rewards minting. Nevertheless, the nonContract modifier eliminates flash loans.

Even with out an exploit contract, the unhealthy actor may nonetheless revenue via a number of calls.

Reproducing AutoShark Assault

To breed the AutoShark hack, we have to first get some SHARK-BNB-LP tokens from PantherSwap. Particularly, we swap 0.5 WBNB into SHARK (line 58) and switch the remainder WBNB with these SHARK tokens into PantherSwap for minting SHARK-BNB-LP tokens (line 64). Afterward, we deposit these LP tokens into AutoShark’s StrategyCompoundFLIP contract (line 69) to qualify for rewards. Notice that we purposely solely deposit half of the LP tokens in line 69.

The second step is to make getReward() go into the SharkMinter contract. Within the above code snippet, we all know that the reward might be retrieved by the earned() operate (line 1658). Moreover, 30% of the reward (i.e., performanceFee) ought to be better than 1,000 (i.e., DUST) to set off the SharkMinter.mintFor() in line 1668.

Due to this fact, in our exploit code, we switch some LP tokens to the StrategyCompoundFLIP contract in line 76 to bypass the performanceFee > DUST test and set off the mintFor() name. Since we want plenty of WBNB+SHARK to govern SharkMinter, we leverage PantherSwap’s 100ok WBNB through a flash-swap name in line 81.

Within the flash-swap callback, pancakeCall(), we change half of the WBNB into SHARK and ship the SHARK with the remaining 50,000 WBNB to the SharkMinter contract to govern the reward minting.

The following step is to set off getReward() when the SharkMinter receives the WBNB+SHARK tokens to mint a considerable amount of SHARK to the caller.

The final step is to transform SHARK to WBNB, pay the flash mortgage, and stroll away with the remaining WBNB tokens.

In our experiment, the unhealthy actor begins with 1 WBNB. With the assistance of flash loans, he income from greater than 1,000 WBNB being returned in a single transaction.

Reproducing PancakeHunny Assault

The speculation behind the PancakeHunny assault is just like the AutoShark assault. In short, we have to ship plenty of HUNNY+WBNB to HunnyMinter earlier than triggering getReward(). Nevertheless, the HUNNY token contract has a safety mechanism referred to as antiWhale to stop great amount transfers. Due to this fact, flash loans don’t work right here.

To bypass antiWhale, we create a number of little one contracts and provoke a number of CakeFlipVault.deposit() calls through mentioned contracts.

Within the above exploit code snippet, the LP tokens gathered in line 116 are divided into 10 components and transferred to 10 Lib contracts in line 122 adopted by Lib.put together() requires every of them.

Inside Lib.put together(), we approve() the CakeFlipVault to spend the LP tokens and invoke CakeFlipVault.deposit() to allow the later getReward() requires minting rewarding HUNNY tokens.

After making ready 10 Lib contracts, the primary contract iterates every of them to: 1) swap WBNB to the utmost allowable quantity of HUNNY; 2) switch WBNB+HUNNY to HunnyMinter; 3) set off getReward() through lib.set off(); and 4) swap HUNNY again to WBNB.

In the long run, the unhealthy actor with 10 WBNB earns round 200 WBNB from 10 runs of 10 Lib contracts operations.

Reproducing Merlin Labs Assault

As talked about earlier, Merlin Labs has the noContract modifier to do away with flash mortgage assaults. Nevertheless, we may use a script to set off the assault with a number of transactions initiated from an EOA (Externally Owned Account) deal with. The one distinction is that somebody could front-run the unhealthy actor’s transaction to steal the income.

Much like the AutoShark assault, we have to put together sufficient LINK and WBNB (line 23), use them to mint WBNB-LINK-LP tokens (line 34), and deposit LP tokens into VaultFlipCake contract (line 38).

The remaining actions are:

  1. Swapping WBNB to CAKE (line 42).
  2. Manipulating MERL minting by sending CAKE to VaultFlipToCake contract (line 50).
  3. Triggering getReward() in line 55 (a considerable amount of MERL tokens are minted).
  4. Swapping MERL again to WBNB and repeating the above steps a number of instances.

As talked about earlier, if somebody entrance runs step Three proper after step 2, that individual may take away a considerable amount of MERL.

In our experiment, the unhealthy actor begins with 10 WBNB and walks away with round 165 WBNB by repeating the 4 steps 10 instances.

About Amber Group

Amber Group is a number one international crypto finance service supplier working all over the world and across the clock with a presence in Hong Kong, Taipei, Seoul, and Vancouver. Based in 2017, Amber Group companies over 500 institutional shoppers and has cumulatively traded over $500 billion throughout 100+ digital exchanges, with over $1.5 billion in property underneath administration. In 2021, Amber Group raised $100 million in Collection B funding and have become the most recent FinTech unicorn valued at over $1 billion. For extra info, please go to