Disclosing PancakeSwap, the first scam and cover up on Binance Smart Chain

PancakeSwap (https://pancakeswap.finance) is a decentralized exchange running on Binance Smart Chain, with lots of other features that let you earn and win tokens.

It also lets you lose a lot of money due to a flaw in their contract.

The contract is also “audited” by Certik (https://www.certik.foundation) and confirmed to be a safe one, which is false.

Note: While this was written, PancakeSwap was removed from Certik’s list of secured projects. Shortly after, it was added again.

The sad thing is, while people lost more than $500000, the developers and admins do not care and continue to blame the buyers saying that it is their own fault.

They are also currently ignoring/banning everyone who asks any question related to this exploit and deleting messages in their Telegram group (https://t.me/PancakeSwapAnn).

They are claiming that this is user’s fault, because there was a warning not to trade syrup. That is only partially true.

The warning was not there at the start, it showed up with an update on the site couple days ago.
At first, the admins and moderators confirmed that syrup can be traded freely.
Once added, the warning was only pointing out that if you sell syrup, you would need to buy it back later. It did not point out that there is a flaw in the contract/code.

At the end, when a contract is audited, we all know whose fault is that (pinging Certik).

Also, if Syrup was not meant to be traded, it could’ve easily be removed from the PancakeSwap exchange at the start.

Lets see how the exploit happened.

Beside the exchange part, PancakeSwap is also a yield farm, letting you earn Cake with staking and other tokens with staking Syrup.

There are 3 options:

  1. You can farm Cake with liqudity
  2. You can stake Cake to get more Cake
  3. You can stake Syrup to get new tokens

Syrup is basically the proof of stake. You get Syrup only when you stake Cake.

If you stake 100 Cake, you get 100 Syrup. Then you can use that Syrup to farm new tokens.
At the moment you unstake your cake, you are giving back (burning) the Syrup.

However, someone found an exploit in the code and managed to unstake their Cake without burning their Syrup.

They managed to illegally create at least 13,000,000 new Syrup and sold at least $500,000 worth of syrup on the PancakeSwap exchange in the last 2 weeks.

Once PancakeSwap learned about this Syrup exploit, they discontinued Syrup’s use and that lead to syrup being devalued to almost 0, causing syrup buyers to lose huge amounts.
(Note: there are previous messages from users in the Telegram chat, saying that something is wrong with Syrup because its supply is higher than Cake, which shouldn’t be. These messages were either ignored by the admins and moderators, or they just decided to be silent about it).

Also, there is a voting system which allowed the community to speak its mind and decide for certain things.
In the past, the administrators said that anything can be achieved with a community vote.

At this moment, there is a community vote (link)to help/compensate the people who were affected by this exploit.
The vote got 1.1 million votes already, more than 97% in favor.

These votes come from affected people, not from the exploiter. Their transaction history can be manually checked and it can be determined that they bought Syrup with their own money.

When asked about their opinion on this vote, the admins firstly ignored it. After users kept pushing them for an answer, they said “Syrup vote is longer valid, the new voting system will use Cake”.

How convenient, that means the affected users who bought syrup and lost money won’t be able to vote on their own fate.

To sum this up: An exploit showed up in an audited code. People lost money.
If this was handled differently by PancakeSwap, we could’ve said that this is only the auditor’s fault. However, seeing the treatment the affected users got by the Pancakeswap team in Telegram, the story is different and we now got multiple perpetrators:

  1. The actual exploiters, which can be traced with the help of Binance.
  2. Certik, as an auditor of the code which was exploited
  3. Pancakeswap, for trying to hide the exploit, misinforming its users and accusing them.