foreword

At 10:34:28 UTC on May 20th, Binance Smart Chain (BSC) DeFi income aggregator PancakeBunny (BUNNY) was attacked by a flash loan from an external developer. The hacker used the flash loan to arbitrage 114,631 BNB, about 4000W USD , involving a huge amount of money. Knowing that Chuangyu Blockchain Security Lab aims to get a glimpse of the secrets of flash loan arbitrage by thoroughly sorting out the attack process and code details.

basic information

secondary title

basic information

Attacker address: 0xa0acc61547f6bd066f7c9663c17a312b6ad7e187

0x897c2de73dd55d7701e1b69ffb3a17b0f4801ced88b0c75fe1551c5fcce6a979

Attack transaction hash:

Attack contract address:

0xcc598232a75fb1b361510bce4ca39d7bc39cf498

image description

https://bscscan.com/tx/0x897c2de73dd55d7701e1b69ffb3a17b0f4801ced88b0c75fe1551c5fcce6a979

figure 1

figure 2

image 3

image 3

secondary title

Detailed attack steps

1. The attacker first invokes the transaction in Figure 2 to make a mortgage, and a mortgage reward will be generated at this time;

4. Obtain BNB through 3 steps and return it to the flash loan address, and make a profit of 114,631 BNB, worth about 40 million US dollars.

Summarize

secondary title

Summarize