CoinClear

PancakeBunny

1.3/10

BSC yield aggregator exploited for $45M via flash loan — BUNNY token crashed 95%+ in hours. A textbook case of flash loan attack on yield aggregator token mechanics.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

PancakeBunny was one of the most popular yield aggregators on BSC during the chain's DeFi boom in early 2021. The protocol operated auto-compounding vaults built on top of PancakeSwap — users deposited LP tokens or single assets, and PancakeBunny automatically harvested and reinvested CAKE rewards, compounding returns more efficiently than manual claiming.

At its peak, PancakeBunny had over $5 billion in TVL, making it one of the largest DeFi protocols on BSC. The protocol's BUNNY token was distributed as additional yield to vault depositors, creating high advertised APYs that attracted retail depositors in droves.

On May 20, 2021, PancakeBunny was exploited for approximately $45 million through a sophisticated flash loan attack. The attacker:

  1. Took a massive flash loan from PancakeSwap
  2. Used the borrowed funds to manipulate the price of BNB/BUNNY pair
  3. Deposited into PancakeBunny vaults to trigger BUNNY minting at inflated prices
  4. Dumped the minted BUNNY tokens, crashing the price by over 95%
  5. Repaid the flash loan with profits

The attack exploited a vulnerability in how PancakeBunny calculated BUNNY token rewards — the minting formula was based on the BNB price of BUNNY, which could be manipulated through flash loans. The attacker walked away with approximately $45 million in profits while BUNNY holders lost almost everything.

The exploit was devastating. BUNNY crashed from ~$150 to under $5 within hours. TVL evaporated as users rushed to withdraw. The protocol attempted to recover through a compensation plan and relaunch, but trust was irreparably damaged. PancakeBunny is effectively dead.

Smart Contracts

PancakeBunny's vault contracts were functional for their core purpose — auto-compounding PancakeSwap rewards. The contracts handled deposit, harvest, compound, and withdrawal operations correctly under normal conditions. The vulnerability was not in the core vault logic but in the BUNNY minting mechanism — specifically, the reliance on a manipulable price oracle for determining mint amounts.

The flash loan vulnerability was a design flaw rather than a coding bug — the token economics assumed that the BUNNY/BNB price couldn't be manipulated within a single transaction, which flash loans proved false.

Security

Security was PancakeBunny's catastrophic failure. The $45 million exploit exposed multiple security shortcomings:

  • Flash loan vulnerability: BUNNY minting formula used a spot price that could be manipulated via flash loans
  • No TWAP oracle: Reliance on instantaneous AMM price rather than time-weighted average price
  • No minting caps: No limit on BUNNY that could be minted in a single transaction
  • Inadequate audit scope: Audits focused on vault mechanics but missed the token minting attack vector

The exploit was particularly damaging because it was a known attack class — flash loan price manipulation had been used in multiple DeFi exploits before PancakeBunny's incident. The team failed to implement protections against a well-documented vulnerability.

Yield Generation

Pre-exploit, PancakeBunny generated yield through auto-compounding of PancakeSwap rewards plus BUNNY token emissions. The auto-compounding was genuine — it provided real value by saving users gas costs and optimizing compound frequency. However, a significant portion of advertised APY came from BUNNY emissions, which were inflationary.

Post-exploit, yield generation is irrelevant. The protocol's TVL is negligible, and any yield offered is meaningless given the BUNNY token's near-zero value.

Adoption

PancakeBunny had massive adoption during BSC's DeFi boom — $5B+ TVL and hundreds of thousands of depositors. The exploit destroyed this adoption overnight. Users who didn't withdraw immediately suffered massive losses. Post-exploit adoption is effectively zero, with the protocol serving as a cautionary tale rather than a functioning yield platform.

Tokenomics

BUNNY tokenomics were destroyed by the exploit. The flash loan attack caused hyperinflationary minting of BUNNY tokens, diluting existing holders and crashing the price 95%+. The compensation plan involved new token mechanics, but holders' losses were largely unrecoverable. BUNNY's market cap went from hundreds of millions to near-zero.

The fundamental tokenomics flaw was tying token minting to a manipulable price — a design that transformed a price oracle vulnerability into a printing press for the attacker.

Risk Factors

  • PROTOCOL IS EFFECTIVELY DEAD. Do not deposit funds.
  • $45M exploit: Flash loan attack destroyed the protocol's value and trust
  • Token value destroyed: BUNNY lost 99%+ of its value
  • Known vulnerability class: The flash loan attack type was well-documented before the exploit
  • No recovery: Compensation efforts failed to make holders whole
  • Trust destroyed: The exploit revealed fundamental security shortcomings

Conclusion

PancakeBunny is a textbook case study in flash loan attacks on DeFi yield aggregators. The protocol had genuine utility (auto-compounding was valuable), real adoption ($5B TVL), and a fatal flaw (manipulable token minting). The $45 million exploit demonstrated that in DeFi, a single smart contract vulnerability can destroy billions in value within minutes. The 1.3 score acknowledges that the auto-compounding product worked before the exploit while reflecting the catastrophic security failure that killed the protocol. PancakeBunny's epitaph: they built a working yield aggregator and attached it to a broken printing press.

Sources