The Binance Smart Chain continues to see some of the projects being built on it exploited. The latest was done by someone who had access to the PancakeSwap admin address. The Exploit It’s an age-old problem with smart contracts: randomness. Solidity has no native random function, and all sources of randomness have to be on-chain. Projects use things like block headers, transaction hashes, and more to create legitimate sources of randomness, but none are truly random – they are merely pseudorandom. This issue has led to exploits in the past, such as the recent Meebits exploit. The PancakeSwap lottery numbers were generated based on certain predictable conditions. The exploiter could use this information to predict the numbers in advance, thus draining the entire pool. Who
Topics:
Varun GS considers the following as important: AA News, Hacking, PancakeSwap
This could be interesting, too:
Chayanika Deka writes Pantera Capital’s Fund V Targets Billion for Diverse Blockchain Investments
Wayne Jones writes Rare ‘Epic Sat’ from Bitcoin’s Fourth Halving Block Sold for Over Million
Andrew Throuvalas writes Strike CEO Predicts Million BTC Amid COVID-Level Money Printing
Andrew Throuvalas writes Crypto.com Recruits Eminem For NBA Playoff Game Commercial
The Binance Smart Chain continues to see some of the projects being built on it exploited. The latest was done by someone who had access to the PancakeSwap admin address.
The Exploit
It’s an age-old problem with smart contracts: randomness. Solidity has no native random function, and all sources of randomness have to be on-chain. Projects use things like block headers, transaction hashes, and more to create legitimate sources of randomness, but none are truly random – they are merely pseudorandom.
This issue has led to exploits in the past, such as the recent Meebits exploit. The PancakeSwap lottery numbers were generated based on certain predictable conditions. The exploiter could use this information to predict the numbers in advance, thus draining the entire pool.
Who Did It, and Why?
The author of this post has provided detailed evidence proving that this may indeed have been foul play from the PancakeSwap admins, given that they created the contract, ‘found’ the exploit, and took the money using their own address.
While it’s true that the admin account did make use of the exploit and drain the funds, the author has a misconception: this was no foul play, and the funds weren’t stolen. While there has been no official statement from the PancakeSwap team on the matter, this event was clearly a white hat removal of funds from the contract, preventing a malicious actor from figuring out the bug and exploiting it.
This is evident, first of all, from the fact that the PancakeSwap admins used their public known address to carry out the exploit. If they wished to drain the funds maliciously, they would have used an anonymous account. Secondly, the funds recovered from the lottery pool are being burned in batches by the admin address
While an exploit is scary and never a good sign, the handling of this by the team instills some confidence, proving that PancakeSwap is willing to fix issues when necessary (even though they could have trivially taken the morally reprehensible path by stealing user funds).