I exploited the SYRUP bug on 3 November 2020. I regret it very much, and would like to return all the gains I made from it.
Sorry, #BSC community. Please forgive me.
On 3 November 2020, I noticed a suspicious transaction to the PancakeSwap timelock, removing the timelock from their MasterChef contract. I looked deeper into it, and discovered that there was a bug in their SYRUP contract that allowed anyone to mint unlimited amounts of SYRUP. I immediately reached out to the team about the bug, but got no response.
I panicked. The bug was already being actively exploited, and had been for weeks. I had ~$1M locked in the protocol, ~385K CAKE, was supplying ~90% of the liquidity in the SYRUP-BNB pool (worth ~105 BNB when I liquidated it), and had accumulated ~29K surplus SYRUP which had already fallen in value by >75% in the last few weeks.
This was my first time encountering a defi exploit. Can this be fixed? Were there other bugs that have been missed? What if I lost everything? Why weren’t the team responding?
I noticed their MasterChef contract still had the migrator() function in it. This meant that without the timelock, the dev could move out all assets locked into the MasterChef contract. This includes all $100M+ in liquidity that was staked to farm CAKE. Was someone trying to steal everybody’s assets?
I panicked. I liquidated everything I had staked in the protocol.
Then I got a bit angry. Users have been raising the discrepancy in the SYRUP supply for days now, why hasn’t the team responded? I became curious, does the exploit actually work? I tried it, manually calling emergencyWithdraw(). I got back my 385K CAKE and still had all my SYRUP. I did it again, and again… and again. I thought, maybe this would make the issue too big for the team to continue ignoring. I kept doing it. Within 13 minutes, they announced that they were closing the SYRUP pools. I became the biggest holder of SYRUP.
(Aside: @MikeThug1 provides some good insight into how SYRUP and HOES were being exploited in the weeks leading up to 3 November).
Then I did something I now regret. I thought, hey, the value of syrup is going to fall to 0 anyway, and I had already lost so much because of this bug, might as well try to recoup my losses as much as possible. I started selling SYRUP and staking the SYRUP.
I now realize that after already losing so much myself to the bug, it was selfish of me to try and recoup my losses by further exploiting it, and causing others further losses. It doesn’t matter that those losses were inevitable anyway.
This really weighed on me after the fact. I was in a state of shock from the events that had happened, and over time felt more and more ashamed of what I had done.
I realized the right thing to do would be to return these gains to the community, then everyone could recoup some of their losses. I calculated that after exploiting the bug, I had gained a total of 5311.121775 TWT and 265.5628 CTK from staking in the SYRUP pools and 38.77830336 BNB from selling the SYRUP. I contacted Binance 3 days later and asked how I could return these gains, and am currently awaiting a solution from them. I had wanted to get a solution from Binance before reaching out to the PancakeSwap team to apologise, but as they were taking some time, I reached out to the team on 19 November to discuss the best way for me to return the tokens.
I was taken aback by their response.
At first I was shocked and even angry. I thought, these guys aren’t taking any responsibility for their own bug, and want to pin all the blame on 1 user that probably lost the most as a result of it. Did they think they could’ve covered up the bug forever?
After I calmed down a bit, I realized that I am still the one in the wrong here. I don’t blame them for the bug. Everyone makes mistakes, and as defi investors, we understand that we are taking on risk in exchange for returns, and smart contract risk is a part of it.
I made a mistake and I hope that you can forgive me too.