$1,800,000 was stolen from Binance Smart Chain PancakeSwap Lottery Pool — Part II

Crypto Pwnage
4 min readMay 14, 2021

--

Since the previous article sparked a lot of debate, and there is still no CONSENSUS, some clarifications should be made.

1. Information in the previous article COULD BE VERIFIED BY YOURSELF. You do not need anyone to tell you if it is true or not. In blockchain all data is open. And here I am going to show you the exact sequence of actions you should perform to verify it.

2. If it is still too difficult for you or you are just too lazy for it, it is totally OK. Just show this article to an INDEPENDENT blockchain (or just IT) specialist. He or She would be able to repeat the procedure of article verification in minutes.

3. There was a confusion about account 0x35f16a46d3cf19010d28578a8b02dfa3cb4095a1 presented in the article. PancakeSwap continues to deny the theft and its main argument is that the account was used to burn cakes, not to steal them. Well, it is true. That account indeed did not steal any money and actually was used to burn cakes. The article did not claim it though. The article said there was a person who had access to that account, and that person stole the money. He did not steal the money to this specific account of course. It would be stupid to still money to an admin account. He stole the money to his personal accounts by generating jackpot tickets from his personal accounts and claiming jackpots.

Here is the exact procedure you should repeat to verify the article by yourself.

  1. Open lottery site and check let’s say 489 issue:

Alternatively in case this site is down, you could do the same via blockchain:

https://bscscan.com/address/0x3c3f2049cc17c136a604be23cf7e42745edf3b91#readProxyContract

This is a proxy contract of the lottery, so check that ABI for the implementation contract is still the same.

Go to historyNumbers.

Here we input Issue number (489) and index numbers 0–3 to figure out jackpot numbers for this round. Blockchain storage tells us that result is:

1 9 9 11

We have here 4 tickets who won that Issue. Let’s find them in blockchain (spoiler: they have IDs 2096497, 2096498, 2096500, 2096501. And all 4 jackpot winners are located in exactly the same block as the lottery random generator method, so it was not very difficult to find them).

1. Open https://bscscan.com/

2. Open the page of Pancake Lottery Ticket:

https://bscscan.com/token/0x5e74094cd416f55179dbd0e45b1a8ed030e396a1

3. Go to the Read Contract tab.

4. Put your ticket ID here and press Query

As you can see, this is a jackpot winner.

So, now let’s finally look inside of the block:

Buy jackpot tickets

Buy moar jackpot tickets

Generate Jackpot ticket numbers

So, someone who had access to 0x35f16A46D3cf19010d28578A8b02DfA3CB4095a1 account (admin PancakeSwap account) generated 4 jackpot tickets in EXACTLY the same moment as the lottery issue ended.

The END

--

--

No responses yet