One week ago, the Beefy Dev team made a coding error while upgrading the Beefy.Finance Bunny vault strategy. The new strategy was constructed using an invalid address. Instead of pointing to the Bunny vault, it referenced the old strategy. This invalid reference locked 6,542.73 BUNNY in the vault forever.
After governance votes for both the PancakeBunny community, and the Beefy community all funds have been rescued, and Beefy.Finance users who were affected have been compensated for one week of lost earnings.
How Bunny and Beefy worked together to keep your funds SAFU
As soon as we realised that the error had locked up Beefy users funds, we began looking for ways to solve this issue. We conducted an investigation into different alternatives that would let our users get back their lost BUNNY tokens.
We needed to find a way to prove that the BUNNY was really locked forever, because then we could talk with the PancakeBunny team about treating those locked Bunny as burned and possibly minting new Bunny for the affected users.
On our vault strategy Smart Contracts we have two roles, the “keeper” and the “owner”. These two roles have equal rights and are the only ones that can call privileged functions in the strategy: such as panic(), pause() and unpause().
We knew that if we renounce ownership, and set the keeper to 0x00, the BUNNY would be locked forever in that contract, and therefore, burnt forever.
Once we had the plan, with the help of Binance, we connected with the PancakeBunny team. We presented the situation and two possible solutions to their team. Both solutions required PancakeBunny to mint new BUNNY to replace the amount burnt by us. This newly minted BUNNY would then be used to refund the vault users.
Positive Community Response
Thankfully, the PancakeBunny team was eager to help our users recover their funds. Like most teams last week, they were also very busy handling their planned maintenance for the PancakeSwap V2 Migration.
As soon as the migration finished, their team released a community proposal to mint some new BUNNY to refund our users. At the same time, we took action and released a community proposal to use the Beefy treasury to buy additional BUNNY to give to our users as compensation for the missed earnings while their funds were locked.
What should I do now?
As of now, users are seamlessly withdrawing their Bunny from the vault and have received an airdrop to cover their lost earnings.
- Press “APPROVE” and confirm on metamask
- Press “REFUND” and confirm on metamask
The yield compensation was airdroped to the vault users based on a snapshot of all the mooBunny (vault receipt) tokens taken yesterday Apr-29–2021 3:10 PM UTC
Sequence of events:
- Apr-22–2021 12:36 PM UTC — The Beefy team made a coding error when upgrading its Bunny vault.
- Apr-22–2021 1:47 UTC — Our mods talk with users unable to withdraw from the vault
- Apr-22–2021 2:06 PM UTC — Sirbeefalot reviews the SC, finds the funds are locked, and contact the dev team
- -22–2021 3:03 PM UTC — Roman Monk gets to the same conclusion after reviewing it
- Apr-22–2021 3:10 PM UTC — Beefy dev team starts reviewing the PancakeBunny SCs in order to find an exit to the problem
- Apr-22–2021 3:50 PM UTC — The team arrives at the conclusion that the easiest way to rescue the funds was to burn and mint with the help of PancekeBunny.
- Apr-22–2021 4:10 PM UTC — Roastyb contacts Binance to help us communicate with the PancakeBunny team
- Apr-22–2021 4:38 PM UTC — We communicate the problem we had and the potential solution to the PancakeTeam
- Apr-23–2021 9:39 AM UTC — The PancakeBunny team tell us they are willing to run the mint operation through voting, after PCS migration which was their top priority.
- Apr-25–2021 4:02 PM UTC — Sirbeefalot sends a document to PancakeBunny outlining all the important information about the vault, strategy, the proof of burn and two potential rescue plans.
- Apr-27–2021 6:00 AM UTC — The PancakeBunny team releases the proposal “to Rescue Bunny and Aid Our Beefy Friends”
- Apr-27–2021 7:00 PM UTC — Roastyb writes the proposal “Budget request for yield compensation” in order to compensate for the opportunity cost of the users locked in the vault.
- Apr-28–2021 7:00 PM UTC — Beefy compensation proposal passes
- Apr-29–2021 6:00 AM UTC — PancakeBunny Proposal passes
- Apr-29–2021 03:22 PM UTC — Sirbeefalot deploys the Rescue ontract
- Apr-29–2021 3:40 PM UTC — Sirbeefalot communicates to PancakeBunny that we burned keeper and renounced the owner of the strategy
- Apr-30–2021 05:16 AM UTC — PancakeBunny mints 6,542.73 BUNNY
- Apr-30–2021 05:16 AM UTC — PancakeBunny sends the minted Bunny to the rescue contract
- Apr-30–2021 07:39 AM UTC — Suberbeefyboy merges the UI fixes in order for users to withdraw their BUNNY
- Apr-30–2021 01:13 PM UTC — Bunny compensation Airdrop executed to mooBunny holders. Snapshot timestamp: Apr-29:2021 03:13 PM.
What Did We Learn?
Our systems are only as strong as the most vulnerable parts of it. Despite having a solid testing suite for the vault releases, we did not have the same safety measurements in place such for strategy upgrade. This made them vulnerable to human error.
We have analyzed every aspect of our testing suite and have come to the conclusion that it was lacking in certain areas.
Why won’t this happen again?
Added smart contract level checks
The new BeefyVaultV6 won’t accept an upgrade in cases where there’s been an error in configuration.
Automated testing suite for upgrades
We have implemented a rigorous test suite to make sure that the lifecycle of a vault is intact after upgrading.
Kickstarting the AuditsDAO
We’ve outlined an extensive bug bounty program that will run not only for live contracts, but for pending upgrades. A proposal to implement it and fund it with the Beefy treasury will be live early next week. This will be the first step to having a security focused DAO protecting the Beefy ecosystem.
Forming the Council of SAFU
There is a live proposal to form a time locked multisig of trusted BSC parties. This will serve as a saviour of last resort in case everything else goes wrong. The multisig will be able to rescue and refund locked funds in the vault. It will also be able to interact with the underlying farms in case it’s necessary.