AutoShark hacked for ~$745k

Bunnies are reproducing quite fast, and as it turns out, not only in nature but also in the blockchain. Autoshark was nearly 1:1 fork of PancakeBunny, and apart from copying all the logic, they also copied the flawed logic responsible for the PancakeBunny hack.

A hacker used 100K BNB of flash loan and minted 135M of SHARK token from Autoshark. As a result, the hacker has taken out 2.2k WBNB (~$745k).

Here’s the transaction for the hack

Binance Transaction Hash (Txhash) Details | BscScan
Binance (BNB) detailed transaction info for txhash 0xfbe65ad3eed6b28d59bf6043debf1166d3420d214020ef54f12d2e0583a66f13. The transaction status, block confirmation, gas fee, BNB, and token transfer are shown.

I won’t go into many details about how this hack was possible as I already described that in PancakeBunny Analysis, but also WatchPug has done an analysis of the attack.

The reason behind the hack isn’t something new. I’m not talking about the exploit itself but why it was there in the first place. Everybody wants a piece of currently $58B TVL. Many projects are FOMOing into space by copy-pasting code from different projects, copy-pasted from reputable projects, etc. It’s, of course, a part of the ecosystem's composability and openness, but if reusing other parts of the code, always make sure it doesn’t have any issue with it. Check for the latest hacks or audit reports of the project you’re forking from to see if any issues were not solved.

And for god’s sake, before posting on medium an article about PancakeBunny hack, make sure you, who has copied their code, aren’t vulnerable to the same issue.

I already wrote articles about “The State of Security in DeFi” and why issues like this are still present with categorization on Ethereum/BSC. One is already linked, second is here.


Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I’m currently in the middle of 100 days of blogging challenge. Subscription box below 👇

If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.

See you tomorrow!