Binance Smart Chain hackers made $167M with flash loans, exploits in May

Binance Smart Chain (BSC) dapps lost $167 million flash loan attacks and other exploits in May, according to data collated by Rekt.

Attackers have flash loaned BSC protocols with increasing regularity since the turn of the year, but even so May was a particularly bloody month.

Styles of flash loan attacks vary, but generally they exploit quirks in how blockchains work, as well as the industry’s overt reliance on centralized price oracles.

Boiled down, they involve taking out a crypto loan, using the funds elsewhere for profit, and then paying back the loan — all very quickly and within the same block.

As explained by tech journalist John Biggs (via CoinDesk):

• Loan cryptocurrency (let’s say Ether) from a lending protocol.
• Spend ETH on a dollar-pegged stablecoin — but pay more than $1 — driving up the price reported by oracles (in this case to $2).
• Take a second loan using the inflated stablecoins.

In this scenario, the lender requests just half the collateral due to the temporarily doubled price of the stablecoin.

The flash loan attacker can now comfortably pocket the difference, although they still have to pay back the original loan.

Effectively, these exploits are akin to rapid-fire arbitrage trading.

BSC’s PancakeBunny, the most rekt

The biggest of May’s attacks saw yield-farming aggregator PancakeBunny shed over 90% from the price of its native token BUNNY.

A flash loan exploit relieved it of $45 million in digital assets, as noted by Cointelegraph.

According to a PancakeBunny tweet, attackers borrowed Binance’s token BNB before manipulating its local Tether (USDT) and BUNNY markets — before dumping BUNNY and causing it to tank.

Despite making off with around $200 million in digital assets overall, PancakeBunny’s statement hinted those responsible actually got away with around 114,600 BNB ($45 million).

The attacker’s presumably used the remainder to pay back the loans that funded the move in the first place.

The "nice" hacker from @PancakeBunnyFin just donated $100k to @RektHQ

I guess he really liked the article PANCAKEBUNNY – REKT https://t.co/YIaOetgiVU

Such a nice degen, robbing from the shitcoins and giving to the Rekt community 😍

We Are All Rekt. https://t.co/zh1ByV3mZo pic.twitter.com/4Ih2i5kdnJ

— Julien Bouteloup (@bneiluj) May 24, 2021

[Read more: Yearn loses $3M to flash loan attack days after inflating supply 20%]

Other notable flash loan victims in May (as documented by Rekt):

• Spartan Finance lost $30.5 million when hackers took advantage of a flaw in how it calculates liquidity.
• bEarn was looted for $11 million worth of stablecoins.
• BurgerSwap waved goodbye to $7.2 million in various cryptos over 14 illicit transactions.

The most recent exploit saw Belt Finance stung for $50 million on May 29.

According to Belt’s blog, attackers “created a smart contract that used PancakeSwap for flash loans and exploited our beltBUSD pool and its underlying strategy protocols.”

While BSC is the flavor of the month, it’s by no means the only blockchain grappling with these exploits.

In February, flash loaners targeted Ethereum’s Yearn Finance, getting away with $2.7 million and costing Yearn $11 million.

Polygon dapps could be next

Speculation is rife as to where flash loaners will focus energies next.

Some pundits reckon self-styled Ethereum scalability solution Polygon (formerly Matic) might be the next big target.

It took a few months for BSC to gain steam till the mass exploits hit. I’m wondering if that’s something that’s unique to BSC or just an outcome of new DeFi protocols being battle tested .
If the latter, expect the Polygon Dapps to be the next targets

— Ma/ya Zehavi (@mayazi) May 30, 2021

[Read more: The NFT market bubble has popped and we’ve got the charts to prove it]

Rekt’s Bouteloup — who invented the flash loan attack — told Protos: “I agree with Maya. ‘Layer 2’ and ‘fast chains’ will be the best place to run exploits because it’s fast and cheap.”