Thursday , June 24 2021
Home / Crypto news / PancakeSwap Lottery Hack: $1.8 Million in Question

PancakeSwap Lottery Hack: $1.8 Million in Question

Summary:
The Binance Smart Chain continues to see some of the projects being built on it exploited. The latest was done by someone who had access to the PancakeSwap admin address. The Exploit It’s an age-old problem with smart contracts: randomness. Solidity has no native random function, and all sources of randomness have to be on-chain. Projects use things like block headers, transaction hashes, and more to create legitimate sources of randomness, but none are truly random – they are merely pseudorandom. This issue has led to exploits in the past, such as the recent Meebits exploit. The PancakeSwap lottery numbers were generated based on certain predictable conditions. The exploiter could use this information to predict the numbers in advance, thus draining the entire pool. Who

Topics:
Varun GS considers the following as important: , ,

This could be interesting, too:

Anthonia Isichei writes PayPal and Visa Lead 0M Funding for Blockchain Capital

Anthonia Isichei writes War on Illegal Bitcoin Mining: Iran Confiscates 7,000 BTC Mining Machines

Jordan Lyanchev writes VanEck’s CEO Urges the SEC to Approve a Bitcoin ETF Due to High Customer Demand

Jordan Lyanchev writes The China Effect: Bitcoin’s Hashrate to an 8-Month Low as the Issuance of New BTC Slows Down

The Binance Smart Chain continues to see some of the projects being built on it exploited. The latest was done by someone who had access to the PancakeSwap admin address.

The Exploit

It’s an age-old problem with smart contracts: randomness. Solidity has no native random function, and all sources of randomness have to be on-chain. Projects use things like block headers, transaction hashes, and more to create legitimate sources of randomness, but none are truly random – they are merely pseudorandom.

This issue has led to exploits in the past, such as the recent Meebits exploit. The PancakeSwap lottery numbers were generated based on certain predictable conditions. The exploiter could use this information to predict the numbers in advance, thus draining the entire pool.

Who Did It, and Why?

The author of this post has provided detailed evidence proving that this may indeed have been foul play from the PancakeSwap admins, given that they created the contract, ‘found’ the exploit, and took the money using their own address.

While it’s true that the admin account did make use of the exploit and drain the funds, the author has a misconception: this was no foul play, and the funds weren’t stolen. While there has been no official statement from the PancakeSwap team on the matter, this event was clearly a white hat removal of funds from the contract, preventing a malicious actor from figuring out the bug and exploiting it.

This is evident, first of all, from the fact that the PancakeSwap admins used their public known address to carry out the exploit. If they wished to drain the funds maliciously, they would have used an anonymous account. Secondly, the funds recovered from the lottery pool are being burned in batches by the admin address

While an exploit is scary and never a good sign, the handling of this by the team instills some confidence, proving that PancakeSwap is willing to fix issues when necessary (even though they could have trivially taken the morally reprehensible path by stealing user funds).

You Might Also Like:

About Varun GS

Leave a Reply

Your email address will not be published. Required fields are marked *