Pancake Bunny Saga: Revealing All the Details of the Tough Transformation

Diving deep into how Pancake Bunny changed their code according to the suggestions I made. Not in an easy way. See for yourself.

Check out our book about DeFi on Amazon!

🔢 Chronology

• Discovering alarming smart contract details performing security analysis.
• Sending an email to the Bunny team with suggestions on fixing the issues.
• Receiving their answer, which stated that the project was in an active development stage and no changes would be placed.
• Publishing the audit and posting it on social media.
• Suddenly, Bunny’s Telegram got deleted.
• The Bunny team considered to rug pull but realized that BSC might freeze the funds and created a new Telegram profile to reanimate the project.
• The team implemented a 24h timelock to whiten its reputation.
• Reviewing the code of the smart contracts again and making sure the suggested updates were implemented in an appropriate way.
• Publishing a post with the explanation on the smart contract updates.

🚫 High-Risk Issues in the Bunny Project

In the middle of December, I picked the Pancake Bunny project for a regular smart contract security analysis to inform the community about possible issues and risks existing in the code.

As a reminder, my goal is to make a change in the yield farming industry by a) encouraging suspicious projects for improvements; b) informing the community what to be aware of. You can check the audits I made previously on my website.

In short, I discovered multiple issues while performing the review. Such as:

• The project was centralized as long as EOAs (BunnyMinter, Bunny Deployer) were the owners of numerous smart contracts.
• The Bunny Deployer EOA could frictionlessly mint new tokens to any specified addresses.
• The EOA could transfer ownership of the Bunny Token contract to another address, which would be able to invoke the mint function.
• Infinite minting was possible.
• The fees, team, and user rewards could be modified by the Bunny Deployer EOA without any restrictions.

Taking all the aforementioned facts into account, I estimated the yield farming risk as high. This was an objective assessment, no doubts.

However, the project risk status could be easily switched to low, if necessary changes would be implemented. Namely, I suggested introducing the Timelock contract with a sufficient delay (at least 48h) and a monitoring mechanism.

✉️ Correspondence With the Bunny Team

I enthusiastically composed a detailed email providing the list of issues I discovered, along with the clear steps on how to transform the smart contracts to make the project safer. Then I sent it to the Bunny team.

Frankly speaking, as my previous experience shows, I sincerely believed that they would follow my advice and make the changes shortly. However, my expectations didn’t come true as long as the next day I received this discouraging answer:

I bet they pretended to not understand the importance of timelock in the early development stage. The thing is, the priority should be to make the project safer and more reliable and not to create new features. The ‘active development stage’ can hardly count as an excuse. The project is worth nothing if its risk level is high for its investors. Any junior developer or manager knows that.

I did my best to convince them to apply the Timelock ASAP.

However, the Bunny team took a different path.

Once again, I tried to change their mind by providing real examples of how other projects executed the necessary changes and reduced the risk. But it didn’t help. Still, no actions were taken.

If you wanna stay safe and be up to date — subscribe to our newsletter! We will send you our DeFi Security Handbook straightaway. In the ebook we explain how to stay safe, what are we paying attention to while auditing projects and what should you do to not get REKT. You can expect insights, interesting content and updates from us.

👻 A post on social media led to the ‘out of the blue’ disappearing of the Bunny’s Telegram profile

Consequently, the Bunny’s inertia made me publish the warning alert on social media along with the detailed audit to shed light on the threat. Whatever the project was saying, I needed to alarm people of the existing issues:

Instead of providing the reasons and explanations, the Bunny team removed their Telegram account (the main communication channel), baffling the users.

I decided to set up a Telegram group for Bunny users to discuss the situation internally and avoid any FUD in some way. To my surprise, it was joined by dozens of users.

I am absolutely sure they were about to rug pull but then realized that the funds might be frozen by BSC. No other adequate explanation if only their Telegram account could be deleted ‘out of nowhere’ as they stated. Funny! I don’t believe their account was hacked indeed.

Check out this screen:

✔️ Implementation of the Timelock

There was no other way for the Bunny team but to implement the required changes to reanimate the project and whiten its reputation.

Thus, the Timelock contract was added. However, only a 24h delay was set, instead of the recommended 48h.

Of course, it’s better than nothing, however, the significant risk still exists for the users as far as the Timelock delay isn’t as long as needed. Why? All of the events should be manually monitored on a daily basis. They didn’t take care of a mechanism (a Telegram bot, for instance) to keep their users informed and up to date concerning changes proceeded under Timelock.

Thus, the risk level stated in my audit could be decreased only to medium.

🤔 Conclusion

My efforts were not in vain, fortunately. Even though the Bunny team had the potential to instantly decrease the risk level of their smart contracts from high to low, achieving the medium level is a good result seeing that their team initially rejected my requests.

Further on, I will continue looking for such projects and trying to have the devs update their projects and improve safety. I truly believe that by calling out the risks the industry can improve for the better.

Don’t trust — verify. Always.

Check out other articles from the Saga series:

• Deus Finance Saga
• Alpha Lab Infinite Minting Saga
• YFFS Saga
• Bundles Finance Saga

P.S. I have a constantly updating list of projects to audit, so if you have any suggestions, make sure to let me know through any of the outlets:

Check our guides:

Solana Network Ultimate Yield Farming Guide [Infographics]
Fantom Network Ultimate Yield Farming Guide [Infographics]
Huobi ECO Chain Ultimate Guide for Yield Farming
Polygon Network Ultimate Guide for Yield Farming
Binance Chain Ultimate Guide for Yield Farming

And join us on twitter and telegram!

Good luck in farming!