$1 800 000 USD
DESCRIPTION OF EVENTS
"PancakeSwap is a decentralized exchange (DEX) on the Binance Smart Chain (BSC), which uses permission less liquidity pools run by algorithms. This creates what is known as an automated market maker (AMM)."
"PancakeSwap has its own native BEP-20 token, CAKE, which can be staked or spread across Syrup Pools. Syrup pools provide tokens from other BSC projects such as Injective Labs (INJ) and CertiK (CTK), to name a couple."
"As previously mentioned, PancakeSwap runs on BSC, using BEP-20 tokens. BSC has much lower fees than Ethereum, with fees ranging anywhere from $0.04- $0.20 and transaction taking about five seconds on BSC."
"It is very important to to note that CAKE has an unlimited total suppy, and at the time of writing is still a positive emissions rate. At this point in time CAKE is still an inflationary token but its team is working to introduce new deflationary measures on top of its lottery system."
"According to sources, since April 12, 2021, a person who has access to Binance Smart Chain account 0x35f16a46d3cf19010d28578a8b02dfa3cb4095a1 (PancakeSwap administrator account) has stolen 59,765 Cakes (approximately US$1,800,000) from the PancakeSwap lottery pool. After hackers exploited the vulnerability several times, PancakeSwap banned the account."
"He used the exploit a few times. Shortly after the last theft the lottery game was suspended, and this account was banned by PancakeSwap. It gives a clear thought that PancakeSwap has been aware of the theft at that moment."
"While it’s true that the admin account did make use of the exploit and drain the funds, the author has a misconception: this was no foul play, and the funds weren’t stolen. While there has been no official statement from the PancakeSwap team on the matter, this event was clearly a white hat removal of funds from the contract, preventing a malicious actor from figuring out the bug and exploiting it."
"This is evident, first of all, from the fact that the PancakeSwap admins used their public known address to carry out the exploit. If they wished to drain the funds maliciously, they would have used an anonymous account. Secondly, the funds recovered from the lottery pool are being burned in batches by the admin address."
"While an exploit is scary and never a good sign, the handling of this by the team instills some confidence, proving that PancakeSwap is willing to fix issues when necessary (even though they could have trivially taken the morally reprehensible path by stealing user funds)."
"To make jackpot numbers genuinely random, drawing transaction should meet two criteria. First: it should be at least a few blocks away from enterDrawingPhase transaction in order to prevent exploit of known block hash. Block distance check should be performed inside of drawing method as a requirement. Second: drawing transaction should be performed in predefined time (e.g. 02:05:00 PM), or in a predefined time interval after enterDrawingPhase method (e.g. 05:00 minutes). If the second criterion is not met, there is another opportunity to exploit: admin might manipulate jackpot numbers waiting for the “right” block to inject drawing transaction."
Nothing is ever fully random, however a form of pseudorandom was used to determine the payout of CAKE bonuses.
Unfortunately, this random could be exploited by a knowledgeable individual, since it was based on the block hash. The admins appear to have performed the minting themselves and burned the resulting tokens to prevent a hacker from doing so.
HOW COULD THIS HAVE BEEN PREVENTED?
This incident did not have a loss of any customer funds. Of course it could have been prevented if the payout was validated by human beings.
SlowMist Hacked - SlowMist Zone (May 18)
PancakeSwap Project Insight: A Dex AMM and Yield Farming Project (May 24)
PancakeSwap Lottery Hack: $1.8 Million in Question (May 25)
$1,800,000 was Stolen from Binance Smart Chain PancakeSwap Lottery Pool (May 24)
Binance Transaction Hash (Txhash) Details | BscScan (May 25)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)