Cryptocurrency analyst Crypto Pwnage writes that tokens worth more than $ 1.8 million have been withdrawn from one of PancakeSwap’s pools.
As Crypto Pwnage reports on a blog on Medium, since April 12, 2021, the person who had access to the PancakeSwap admin address on the Binance Smart Chain (0x35f16a46d3cf19010d28578a8b02dfa3cb4095a1) stole about $ 59,765 million from the PancakeSwap lottery pool.
The attacker exploited the vulnerability several times. Shortly after the last theft, the lottery was suspended and the address was blocked by PancakeSwap. According to the article, the author waited several weeks to give PancakeSwap enough time to publish information about the theft and cover the damages of affected users. However, the decentralized exchange never released the data.
According to Crypto Pwnage, the PancakeSwap administrator used his ability to manually invoke lottery contract methods. He made several calls at the same time (buy, enter the draw, draw) and put them all in one block. This gave him the ability to predict the number of jackpots since the random number generator based on the hash of the previous block was no longer random.
To execute requests in the correct sequence within each block, he set a different decreasing gas price for each transaction. The attacker has also optimized his strategy since April 21 and refined gas prices to bring transactions closer to each other within the block.
It can be assumed that the transactions are unrelated and that this is just a random forward trade. However, Crypto Pwnage provides several evidence to dispel this assumption. For example, the agreed change in gas prices from April 19 to April 21 and the fact that the administrator actually created the possibility of exploiting the vulnerability to simultaneously execute two transactions.
The analyst also proposed a fix to address the potential for similar vulnerabilities in the future, including changing the criteria for the draw transaction so that jackpot numbers are truly random.
Recall that in March, the PancakeSwap decentralized exchange was subjected to phishing attacks on DNS servers.
Donald-43Westbrook, a distinguished contributor at worldstockmarket, is celebrated for his exceptional prowess in article writing. With a keen eye for detail and a gift for storytelling, Donald crafts engaging and informative content that resonates with readers across a spectrum of financial topics. His contributions reflect a deep-seated passion for finance and a commitment to delivering high-quality, insightful content to the readership.
