Update on the PancakeSwap Scam Incident

Voice of reason
4 min readNov 7, 2020

PancakeSwap, a platform that will gladly rob it’s users after it released broken code onto them.

The same code they claimed is Audited by Certik.
They also claimed the user’s funds were protected by CertiKShield’s program.

Now Certik says that the code was actually “partially” audited and no one gets anything from the CertikShield program, which at this point can be called FakeShield program.

On the exploiter

There is still nothing from Binance on this, we are still not sure why. PancakeSwap calls the exploiter “a bad actor”.

We expected to find the final number of stolen Syrup in their article, but they blatantly say “10–20 million Syrup”, which means they did zero investigation.

If PancakeSwap decided that the person who used the exploit to steal money is only a bad actor, then the whole responsibility lays in the creators of the bad code, themselves.

This should lead to compensation for everyone who was affected by this bad code.

If it doesn’t, it puts the Cake users in immediate danger.
If a new “exploit” in the cake code appears, it will be no one’s fault again and those users will be burned too.
The CertikShield and its audit are fake.

On users trading Syrup

At the start of PancakeSwap’s article, they say:

“Following the emergency decision to remove support for SYRUP on PancakeSwap, it came to light that an unexpectedly large number of users had bought and sold SYRUP and were negatively affected.”

Couple lines after it, they say:

Internal chat logs from October 8th reveal the chefs’ initial thought process:

[08.10.20 12:05] We should not let users swap it

[08.10.20 12:07] a lot of them already have

[08.10.20 12:07] will probably just result in more questions from users on why they can’t find it etc.

[08.10.20 12:08] if it’s completely removed now those who made the mistake are stranded

This means they knew Syrup is traded 1 month ago, not “after the incident”.

They are basically lying and contradicting themselves in the same article.

The two contradicting statements on PancakeSwap’s article.

On the contract

The Pancakeswap articles says they considered:

“Redeploy new MasterChef and SyrupBar smart contracts with updates that would fix the exploit”

That could have been a better option, since the Syrup holders wouldn’t be left behind.

However, that sentence also confirms that the PancakeSwap developers released a product that wasn’t ready, somehow got it “audited” through Certik and pushed it onto its users.

It is PancakeSwap’s responsibility to take care of the affected users.

On the vote

The community vote resulted with 1.1 million votes for compensating the affected Syrup users (97% in favor).

These votes came from affected people, not from the exploiter. Their transaction history can be manually checked and it can be determined that they bought Syrup with their own money.

In the past, the developers used the vote function to fork whatever their liked in the contract daily, but now when the users decided to vote (and did, successfully), the developers say: “community votings proposals are not binding decisions”.

They announced that Cake holders will decide for possible compensation in “undetermined” future.
They are basically saying that the affected Syrup users are excluded and won’t be part of this vote. That is unacceptable.

Also, in the Pancakeswap announcements it is mentioned that the sentence used in the voting proposal “1:3 or something similar decided by the chefs” is too general.
How can the affected syrup holders offer an exact number if they do not know how much extra Syrup is created?
The PancakeSwap team needed more than 3 days to publish something, and in that article they gave only a vague number of 10–20 million.

A clear message to the PCS team: Take responsibility. Do more.

To sum this up:

  1. PancakeSwap released broken code.
  2. Certik audited that code.
  3. PancakeSwap assured its users that the code is verified and there is also protection from the CertikShield program.
  4. Exploiters took more than $500,000 of user’s money, maybe more.
    We still need detailed analysis and numbers from PancakeSwap team.
  5. The exploiters transferred some of their funds to Binance.
  6. Still no steps from Binance and CZ on this user and freezing his assets.
  7. Certik doesn’t take responsibility and denies funds from the protection program.
  8. PancakeSwap says the exploiter is only “a bad actor” and doesn’t go after him.
  9. PancakeSwap doesn’t take responsibility and doesn’t compensate affected users.
  10. The community vote is considered irrelevant by the PancakeSwap team.
  11. They announce a new vote, which will exclude the affected users.

If this is the #1 AMM on Binance Smart Chain, then we are all doomed.