On October 20, the decentralized PancakeHunny protocol was attacked with instant credit and lost 388 BNB and 1.7 million TUSD (approximately $1.9 million). The first to pay attention to the attack were the specialists of the company in the field of blockchain security PeckShield Inc.
According to them, the hacker carried out 32 transactions to create a huge number of HUNNY coins.
“The hack became possible due to the profit inflation error, which converts a relatively small amount of ALPACA into a large number of TUSD for staking. These converted TUSDS are then counted as profit and used to create a huge number of HUNNY coins,” the experts explained.
Later, the hacker passed funds through Typhoon Network and Tornado Cash mixers, as well as Anyswap, Celer Network and Synapse Protocol protocols. In the final, they were exchanged for Ethereum.
As a result of the attack, the price of the HUNNY token has fallen by more than 60% and at the time of writing is $0.1179.
Later, the developers of PancakeHunny confirmed the fact of the attack. They assured that all users’ funds are safe, and the exploit only affected the price of HUNNY.
According to them, the hacker created a smart contract for the HUNNY TUSD storage exploit, which was subsequently executed 26 times.
They gave the sequence of the attacker’s steps. Initially, he received an instant loan from Cream Finance in the amount of 53.25 BTC. He exchanged these funds for credit 2,717,107 TUSD from the Venus protocol.
Later, the hacker manipulated the price of the BNB/TUSD pool on PancakeSwap and used 50 different wallets to deposit 38,250 TUSD in the HUNNY TUSD vault. After that, he bought 2,842.16 TUSD and released 12,020.40 HUNNY, which he then sold for 7,78 WBNB.
PancakeHunny developers have stopped the process of creating the TUSD Vault token.
“We will change the routing to pools with higher liquidity to prevent the consequences of price manipulation,” they added.