VYSYN VENTURES Weekly Insights #25
Binance Smart Chain (BSC) offers the ability to bring Ethereum features, including smart contracts and decentralized exchanges (DEXs), to a broader audience. The incorporation of automated market makers (AMMs) brings fast, low-cost transactions that are currently nonexistent in the Ethereum yield farming scene.
These features open up yield farming to those who might not be able to pay high fees on the Ethereum network. Unfortunately, with any new technology, there will be those who will take advantage of the situation.
Herein, we present a case study of how a couple of BSC projects worked together to overcome a potentially crippling scenario. Please read our other piece on yield farming here as this article assumes a basic understanding of how they operate.
BSC Players PancakeSwap & ThugSwap
PancakeSwap is one of the most established BSC yield farming protocols. Since its creation, it has grown considerably, reaching over $115 million in liquidity over 24 hours. In addition to having a pancake bunny as a mascot, PancakeSwap introduced a novel mechanism of yield farming, allowing its users to earn additional reward tokens passively.
The reward token for Pancakeswap, Cake, gave another reward token, Syrup. Users were able to stake Syrup to earn 3rd party reward tokens like TWT. It might sound complicated, but this diagram should clear things up.
This feature was very successful, allowing Pancakeswap to build up its fan base, attract additional liquidity, and earn direct support from Binance through its accelerator program. The accelerator program provides liquidity, technical support, name recognition, and marketing support.
To give further credibility to the decentralized application (Dapp), blockchain auditor Certik was brought on for security and gave the project a passing score. In a landscape full of rug pulls and liquidity theft, these audits carry a great deal of weight and can cost up to tens of thousands of dollars.
Building on the BSC yield farm hype and expectations, ThugSwap came onto the scene shortly after PancakeSwap. Branding as the rare non-food yield farm, ThugSwap used part of the Syrup smart contract mechanism for its reward token, Hoes. When staked, Hoes generated the Guns token.
It is crucial to set up the relationship between the two tokens as what happened affected both of them similarly. On November 3rd, rumors began circulating on Twitter and Telegram that the Syrup smart contract had been exploited, allowing people to mint Syrup tokens above what should have been possible.
Addressing the Smart Contract Bug
The ripples began to spread quickly. A BSC project integrated with both yield farms, Beefy Vault, caught ahold of this news and quickly began sending out notifications that the bug was live and active.
Upon investigation, it was discovered that the contract bug was active for roughly 3 weeks before being caught. Once their community began asking questions, Pancake sprang into action, sending out similar warnings, asking all users to withdraw their funds.
From their Medium recap, “The specific exploit here was that if a user used the emergencyWithdraw function in the MasterChef contract to withdraw their staked CAKE, the corresponding SYRUP tokens would not be burnt as intended. This allowed bad actors to repeatedly mint more SYRUP tokens with their CAKE tokens.”
As the Hoes token from Thugswap used a similar mechanism, the bad actors soon began exploiting it, possibly on November 3rd. Very quickly, a large supply of “fake” Hoes tokens began circulating, roughly 35% of the total supply.
The Hoes token was never meant to be traded, but some did find their way into the marketplace. The Thugs dev team, in coordination with Beefy, moved quickly to stop the exploit, providing users a couple of workarounds to get out of the tainted yield farm, which was then shut down. This rendered the fake tokens unusable, untradable, and worthless.
This kind of “infinite growth” bug is not unheard of in cryptocurrency. Within 24 hours of launch, Axion suffered a similar exploit that caused the token to lose 99% of its value within hours. While the Pancake devs decided to shut down Syrup completely, its effects spread through the ecosystem.
What about the Certik Security Audit?
The audit services from Certik were to examine the “delta,” or difference between the original SushiSwap code, upon which Pancake was based, and the additions from the Pancake devs. The emergencyWithdraw function used to exploit the smart contract was from the original SushiSwap code and, therefore, was not included in the audit. Despite having insurance with Certik, the emergencyWithdraw exploit operated “within the desired function” and did not qualify for an insurance claim.
Changes by PancakeSwap and ThugSwap
As the smoke from the fire dies down, several changes will be coming to PancakeSwap. First off, the community is requiring more diligent code checks, as the Syrup bug was active since October 10th and operated for 3 weeks before being caught. The Syrup token has been deemed utterly unusable due to the oversupply. It will no longer be used in the Pancake system, and there may not be a replacement. An upcoming vote on user compensation is currently pending.
ThugSwap has elected to take a different approach and retool the Hoes smart contract completely, in part because it started staking much later than Syrup, limiting the damage. The developers are currently crafting a creative solution to keep the staking mechanism while ensuring that hacks like this are not possible in the future. Also, as previously mentioned, Beefy Finance is soon releasing new vaults that will allow for renewed long-term staking of reward tokens from both PancakeSwap and ThugSwap, CAKE, and DRUGS.
Impact on Binance Smart Chain?
Some will point the finger at BSC, saying that the platform is responsible for the nefarious actors’ actions. This logic is flawed, as rug pulls, smart contract breaks, and other unforeseen setbacks happen on Ethereum all the time.
Even user error, a common occurrence, causes many issues and problems on decentralized networks. Despite having some of the same bad actors as the Ethereum ecosystem, BSC still has the advantage of its incredibly fast speeds and fees costing pennies instead of dollars. Compounded over time, Ethereum fees can easily cut deeply into profits.
The lessons learned from this scenario should instead be on the decisive action of all the teams involved. By moving quickly and keeping the community updated over Medium, Telegram, Twitter, and direct messages, these communities were able to get ahead of the issue and retain high user confidence.
With the breakneck pace of blockchain development, it is easy to forget that Binance Smart Chain is just over a month old. Tools are still being created for the protocol and there will inevitably be growing pains.
If the exploit had been triggered with a higher total value locked (TVL) in the smart contracts, the results could have been much worse. Finding this error early on may have been a blessing in disguise.