PancakeSwap Lottery Hack: $1.8 Million in Question
The Binance Smart Chain continues to see some of the projects being built on it exploited. The latest was done by someone who had access to the PancakeSwap admin address.
The Exploit
It’s an age-old problem with smart contracts: randomness. Solidity has no native random function, and all sources of randomness have to be on-chain. Projects use things like block headers, transaction hashes, and more to create legitimate sources of randomness, but none are truly random – they are merely pseudorandom.
This issue has led to exploits in the past, such as the recent Meebits exploit. The PancakeSwap lottery numbers were generated based on certain predictable conditions. The exploiter could use this information to predict the numbers in advance, thus draining the entire pool.
Who Did It, and Why?
The author of this post has provided detailed evidence proving that this may indeed have been foul play from the PancakeSwap admins, given that they created the contract, ‘found’ the exploit, and took the money using their own address.
While it’s true that the admin account did make use of the exploit and drain the funds, the author has a misconception: this was no foul play, and the funds weren’t stolen. While there has been no official statement from the PancakeSwap team on the matter, this event was clearly a white hat removal of funds from the contract, preventing a malicious actor from figuring out the bug and exploiting it.
This is evident, first of all, from the fact that the PancakeSwap admins used their public known address to carry out the exploit. If they wished to drain the funds maliciously, they would have used an anonymous account. Secondly, the funds recovered from the lottery pool are being burned in batches by the admin address.
While an exploit is scary and never a good sign, the handling of this by the team instills some confidence, proving that PancakeSwap is willing to fix issues when necessary (even though they could have trivially taken the morally reprehensible path by stealing user funds).