BSC Flash Loan Attack: The Three Copycats

A series of attacks compromised several Binance Smart Chain (BSC) projects in May. Following PancakeBunny, its three forks projects — AutoShark, Merlin Labs, and PancakeHunny — were also attacked using similar techniques. PancakeBunny suffered the most costly attack of the four, which saw nearly $45M in total damages. In this article, Dr. Chiachih Wu, Head of the Amber Group Blockchain Security Team, elaborates on the details behind the attacks on the three copycats. Copycats AutoShark was attacked five days after PancakeBunny, followed by Merlin Labs and PancakeHunny, respectively. The following is an analysis of the problems and possible attack techniques for these three forked projects. In the SharkMinter.mintFor() function, the amount of rewarding SHARK tokens to be minted (i.e., mintShark) is derived from sharkBNBAmount computed by tokenToSharkBNB() in line 1494. However, tokenToSharkBNB() references the current balance of flip, which makes it a vulnerable point. One could assume that the amount of tokens received in line 1492 is equal to the amount of the flip balance. Still, a bad actor could manipulate the flip balance simply by sending in some flip tokens right before the getReward() call and indirectly breaking the logic of tokenToSharkBNB(). In the underlying implementation of tokenToSharkBNB() , there’s another attack surface. As shown in the above code snippet, _flipToSharkBNBFlip() removes liqui...