Active DeFi stakers probably read the stories already or have been
caught in the middle. For the curious and unaware, PancakeBunnyFinance, AutoShark, Merlin Labs, and lately BurgerSwap have all been victims of flash loan attacks. It is also important to note that the codes of these platforms have passed some audit tests but were still exploited.
How the attacks hapened (in summary):
1. PancakeBunny - Lost ~$45 Million
1. The exploiter staged (and exited) the attack using PancakeSwap (PCS)
2. By exploiting a difference in PCS pricing, the hacker intentionally manipulated the price of USDT/BNB and Bunny/BNB, acquiring a huge amount of Bunny through the use of Flash Loans.
3. The exploiter dumped all the Bunny in the market (Ethereum), causing the price of Bunny to plummet
4. The exploiter then exited the attack by paying back the remaining BNB (by having exploited the price difference from before) on PCS.
The team has updated their code since as they should and you can read it
here.
2. AutoShark - ~$745K
The story for this one is a bit funny. In an attempt to promote their platform, they suggested that the $100K DAI, that was donated by the PancakeBunny hacker, be staked in their platform and auto-compounded. The next thing you know, they were also attacked
Exploiter used $36,800,000, 100,000 BNB for the attack, and approximately 2,500 BNB was exploited — $822,800. 100,000,000 SHARK tokens were minted and used to drained all the liquidity in the LP pool because our token market cap was small (only at $2,000,000 approx) SHARK tokens, which are sold immediately via 1inch -> AnySwap.
3. Merlin Lab - ~$680,000
1. Added a small sum of deposit to the LINK-BNB Vault (with this transaction).
2. Send 180 CAKE to the LINK-BNB Vault contract. (this is important! this is the key that leads to the hack.)
3. Call getReward with the deposit of LINK-BNB Vault from the first step.
4. With the rather large amount of CAKE token in the wallet balance of the vault contract (sent by the hacker at step 2), it returned a large amount of profit (see detailed analysis below). As a result, the system minted 100 MERLIN as a reward to the hacker.
5. Repeated 36 times. Got 49K of MERLIN token in total.
6. Swapped MERLIN token into 240 ETH and transferred out of BSC using Anyswap.
Few hours after the attack, another hacker exploited another error in their code - lost ~$550,000.
4. BurgerSwap ~$7,000,000
1. At around 3 am on May 28th (UTC+8) #BurgerSwap on the BSC chain encountered a flash loan attack; $7.2M was stolen from #BurgerSwap in 14 transactions;
2. Here is the core of the attack, Hackers created their own Fake Coin (non-standard BEP-20 tokens) and formed a new trading pair with $BURGER
3. by adjusting the routing, attacker created $BURGER -> Fake Coin -> $WBNB routing; through $BURGER -> Fake Coin trading pair, attacker re-entered BurgerSwap through Fake Coin & manipulated number of reserve0 and reserve1 in the pair’s contract, causing the price to change
4. Then re-enter the transaction again and trade back the $WBNB, to obtain the extra amount of WBNB inputted
5. Using WBNB as an example to illustrate the details of the attacks:
(1) Attacker flash swapped 6,000 $WBNB ($2M) from PancakeSwap;
(2) Then swapped almost all $WBNB to 92,000 $BURGER on BurgerSwap
(3) Created pair with a fake token on BurgerSwap & added 100 fake tokens and 45k $BURGER to pool;
(4) Swapped 100fake tokens to 4,400 $WBNB through the pool;
(5) Because of reentrancy in time of transfer fake token, attacker did another swap from 45k $BURGER to 4.4k $WBNB
(6) In total attacker received 8,800 $WBNB in the two latest steps;
(7) Swapped 493 $WBNB to around $108,700 BURGER on BurgerSwap;
(8. Attacker repay the flash swap
All mentioned platforms have already set up ways to recover from the exploits. Follow their progress if you've invested in their platform or bought their token/s.
For those interested in keeping up with these kind of news, follow https://rekt.news/ 
