Sorry for exploiting the SYRUP bug

x · ACryptoS
Nov 21, 2020 · 4 min read

I exploited the SYRUP bug on 3 November 2020. I regret it very much, and would like to return all the gains I made from it.

Sorry, #BSC community. Please forgive me.

Image for post
Image for post

What happened?

On 3 November 2020, I noticed a suspicious transaction to the PancakeSwap timelock, removing the timelock from their MasterChef contract. I looked deeper into it, and discovered that there was a bug in their SYRUP contract that allowed anyone to mint unlimited amounts of SYRUP. I immediately reached out to the team about the bug, but got no response.

Image for post
Image for post

I panicked. The bug was already being actively exploited, and had been for weeks. I had ~$1M locked in the protocol, ~385K CAKE, was supplying ~90% of the liquidity in the SYRUP-BNB pool (worth ~105 BNB when I liquidated it), and had accumulated ~29K surplus SYRUP which had already fallen in value by >75% in the last few weeks.

Image for post
Image for post

This was my first time encountering a defi exploit. Can this be fixed? Were there other bugs that have been missed? What if I lost everything? Why weren’t the team responding?

I noticed their MasterChef contract still had the migrator() function in it. This meant that without the timelock, the dev could move out all assets locked into the MasterChef contract. This includes all $100M+ in liquidity that was staked to farm CAKE. Was someone trying to steal everybody’s assets?

Image for post
Image for post

I panicked. I liquidated everything I had staked in the protocol.

Then I got a bit angry. Users have been raising the discrepancy in the SYRUP supply for days now, why hasn’t the team responded? I became curious, does the exploit actually work? I tried it, manually calling emergencyWithdraw(). I got back my 385K CAKE and still had all my SYRUP. I did it again, and again… and again. I thought, maybe this would make the issue too big for the team to continue ignoring. I kept doing it. Within 13 minutes, they announced that they were closing the SYRUP pools. I became the biggest holder of SYRUP.

Image for post
Image for post

(Aside: @MikeThug1 provides some good insight into how SYRUP and HOES were being exploited in the weeks leading up to 3 November).

Then I did something I now regret. I thought, hey, the value of syrup is going to fall to 0 anyway, and I had already lost so much because of this bug, might as well try to recoup my losses as much as possible. I started selling SYRUP and staking the SYRUP.

I now realize that after already losing so much myself to the bug, it was selfish of me to try and recoup my losses by further exploiting it, and causing others further losses. It doesn’t matter that those losses were inevitable anyway.

This really weighed on me after the fact. I was in a state of shock from the events that had happened, and over time felt more and more ashamed of what I had done.

I realized the right thing to do would be to return these gains to the community, then everyone could recoup some of their losses. I calculated that after exploiting the bug, I had gained a total of 5311.121775 TWT and 265.5628 CTK from staking in the SYRUP pools and 38.77830336 BNB from selling the SYRUP. I contacted Binance 3 days later and asked how I could return these gains, and am currently awaiting a solution from them. I had wanted to get a solution from Binance before reaching out to the PancakeSwap team to apologise, but as they were taking some time, I reached out to the team on 19 November to discuss the best way for me to return the tokens.

I was taken aback by their response.

Image for post
Image for post

At first I was shocked and even angry. I thought, these guys aren’t taking any responsibility for their own bug, and want to pin all the blame on 1 user that probably lost the most as a result of it. Did they think they could’ve covered up the bug forever?

After I calmed down a bit, I realized that I am still the one in the wrong here. I don’t blame them for the bug. Everyone makes mistakes, and as defi investors, we understand that we are taking on risk in exchange for returns, and smart contract risk is a part of it.

I made a mistake and I hope that you can forgive me too.

x

ACryptoS

Advanced Crypto Strategies

x · ACryptoS

Written by

https://www.acryptos.com/ · https://twitter.com/acryptosx ·

ACryptoS

ACryptoS

ACryptoS offers 2 products on Binance Smart Chain, yield optimizer ACryptoS Vaults and stablecoin DEX ACryptoS StableSwap. Our tokenomics and fees are designed to encourage longer term staking, and reward long term holders of our ACS and ACSI native tokens.

x · ACryptoS

Written by

https://www.acryptos.com/ · https://twitter.com/acryptosx ·

ACryptoS

ACryptoS

ACryptoS offers 2 products on Binance Smart Chain, yield optimizer ACryptoS Vaults and stablecoin DEX ACryptoS StableSwap. Our tokenomics and fees are designed to encourage longer term staking, and reward long term holders of our ACS and ACSI native tokens.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store