Rabbit Finance's Statement on Contract Security

The BSC protocol is seeking to answer questions that have arisen regarding the legitimacy of their platform.

July 14, 2021
BSC News

Rabbit Finance Releases Statement

Rabbit Finance is a cross-chain leveraged lending protocol on BSC. Products with low-interest leveraged farming and up to 9x leverage are highly recognized by the market. The TVL reaches up to $1,100,000,000.

Regarding some potential contract security issues reported by several social media accounts, Rabbit Finance made the following statement:

1. Smart Contract of Rabbit Finance is audited by both CertiK and ChainsGuard, and the security of the contract is recognized and guaranteed by authoritative institutions. It is expected that the 3rd audit report of a top auditor will be announced at the end of July, and the cross-chain plan will be launched.

2. Regarding the issue of time lock authority: current contracts related to the security of user assets have all been added with time lock, and user assets are safe. Regarding the contract authority mentioned by the user that is not related to the security of the user’s assets: the newly added contract authority for leverage farming and the authority for token mint, will all be transferred to time lock today.

3. We can see that the rumors about the security of Rabbit Finance contracts never occurred, and more are some worries and speculations from several social media accounts. The team appreciates professional suggestions, and advocates positive competition and objective media reports.

4. Many users have noticed Rabbit Finance has been continuously harassed by DDOS recently and malicious speculation reports, and the community believes that it is a planned smear of Rabbit Finance by other competitors. We firmly believe that this situation does not exist and call on users to remain rational. We firmly believe that every DeFi product developer adheres to the original intention and vision of creating value for users, and we should all prioritize our products.

In response to questions raised on social media, Rabbit Finance's marketing team wrote more detailed contract safety instructions.

Question 1: RABBIT total token supply is not limited to 203,000,000 as the Rabbit team says

“Even though Rabbit finance has mentioned in its docs that its token RABBIT should have a maximum of 203,000,000 tokens, the code on the token contract shows that there is no max supply limit within the function `mint`. Hence, RABBIT can be minted to exceed the stated max supply of 203,000,000 RABBIT.”


From the above survey results, it can be confirmed that the maximum supply of rabbits is not limited to 203,000,000 according to the provisions in the document, and the information in the document is wrong.


The maximum supply of RABBIT tokens is 203,000,000 RABBIT, which is the plan for the maximum token supply in the white paper/document. In fact, the design is similar to SUSHI project tokens, the difference is that SUSHI has not announced the maximum release of its tokens. Both RABBIT and SUSHI control the current token production/minting rate through the decline of block output. RABBIT will stop minting and destroy the minting authority when the accumulated mint amount reaches the maximum release. Before the minting authority is destroyed, the minting rights of RABBIT will be time-locked.

Current Mint Amount: 49,401,271.15 RABBIT (Including the completed minting and the balance to be farmed in the farming pool)

Circulating Amount: 35051860.58 RABBIT

Current Global Emission Rate: 15 RABBIT/Block


owner of FairLaunch Contract handover to Time Lock.

owner of FairLaunch Contract handover record: 

owner of RABBIT token handover to Time Lock.

owner of RABBIT token handover record:

Question 2: INFINITE MINT; The owner of Rabbit’s FairLaunch can infinitely mint RABBIT at any time

"The `manualMint` function in Rabbit’s FairLaunch also doesn’t have any cap limit. Hence, the owner of FairLaunch can manually mint an infinite amount of RABBIT. However, when viewing this, we realized the Rabbit team may have set the owner of FairLaunch to be some other contract that contained the cap validation for the `manualMint`. Hence, we needed to investigate the owner variable.”


This means that the rabbit team can call `manualMint` at any time to mint an unlimited amount of RABBIT without notifying their users before performing this operation. This is also not restricted by Timelock.


As mentioned in Question 1,

owner of FairLaunch Contract handover to Time Lock.

owner of FairLaunch Contract handover record:

owner of RABBIT token moved to Time Lock.

owner of RABBIT token moved record:

Question 3: 100% of positions can be liquidated and funds stolen at any time; Configurable protocol parameters have no maximum limit.

"The parameters mentioned in Rabbit’s doc have no maximum limit to govern their possible values.
These parameters are:
- `feeBps`: the Auto Compound Reserve currently configured at 30%
- `getReserveBps`: the Deposit Reserve deducted from lending interest currently configured at 20%
- `getLiquidateBps`: the Liquidation Reserve deducted from the liquidated position value currently configured at 5%
These parameters could be set to 100% by the owner of the contract which would mean the Rabbit team will be able to take all the farming yields and borrow interest income from users. The most worrisome part though is if the liquidation bounty is set to 100%, it would mean the protocol can steal the entire position value from users." 


Without code to prevent the configuration of parameters to unreasonable values, the users could never be sure if this loophole will be taken advantage of.


All the authority and parameters are in the BANK Contract and Config Contract, which have already moved to Time Lock.

owner of BANK contract move record:

owner of Config contract move record:

Question 4: All funds in Rabbit’s platform can be stolen; Rabbit’s EOA account can upgrade the implementation contract at any time

"In their docs, Rabbit has mentioned the use of the `ProxyAdmin` pattern to manage all their upgradeable contracts.
After trying to query implementation contracts for all goblin contracts (yield farming contracts) which are listed on the document site, only 9 goblin contracts out of 33 returned the implementation contract addresses. This means only 9 farming pools out of Rabbit’s 33 are actually managed by the `ProxyAdmin`.
To find out which address has the right to upgrade/manage other proxy contracts that are not managed by `ProxyAdmin`, we needed to investigate each proxy contract. What this means is that the “0x746ff9b65d48008b1ca2ef9fda10dd6139c0c75f” address can change the implementation of the above farms at any time without going through Timelock or notifying the community.
After investigating “0x746ff9b65d48008b1ca2ef9fda10dd6139c0c75f”, it can be confirmed that the Rabbit team owns this account as the “Rabbit Finance: Deployer” account funded this account’s gas fee. (See the first tx for this address below.)"


The Rabbit team can rug pull at any time and these vulnerabilities strongly suggest intent to do so. They can steal all user funds in their platform as well as infinite mint and dump on RABBIT token holders.


So far, the above description has not actually had any impact on the user’s assets, but it expresses the user’s security concerns about whether to add a time lock in the relevant contract. There is no security problem of the so-called unlimited minting and theft of funds. In order to eliminate the concerns that users may have, we make the following adjustments.


The other 24 Goblin contracts have been moved to the ProxyAdmin contract, and ProxyAdmin has been handed over to Time Lock. Please visit the contract below for more information.

ProxyAdmin contract address:

No items found.

Text Link

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.