PancakeSwap Pulls the Emergency Brake on SYRUP Pools

An exploit found in the SYRUP smart contract forced PancakeSwap to put an end to their SYRUP pools. Even with a CertiK audit it appears the contracts can still be compromised.

By
Rich
on
November 12, 2020
Category:
Project Insight

The Exploit

PancakeSwap's Governance token "SYRUP" has been compromised. A flaw in the contract would allow staked CAKE to be removed without burning the SYRUP minted. People could un-stake via the contract's emergency withdrawal function; this function would not eliminate the existing SYRUP that was created. They could then re-stake the CAKE tokens and keep receiving the SYRUP token as a reward. The result; about 30 Million SYRUP tokens have been minted fraudulently. Because the SYRUP token was used for staking in the SYRUP pools and bad actors staked & sold all the fake syrup tokens, pulling down prices and the APY. As a result, it put honest investors at a disadvantage.

https://pancakeswap.finance/staking

Beefy Boys to the Rescue

The whole thing came to light after users started inquiring why SYRUP's supply surpassed the staked CAKE supply. After SirBeefAlot from BeefyFinance found out how the exploit worked, they informed the PancakeSwap team about it. The exploit, by then, had been ongoing for three weeks already.

The PancakeSwap team decided to stop and migrate all SYRUP pools into CAKE pools. Users had to un-stake their syrup and then re-stake their CAKE in the desired pools. The SYRUP token has lost all value and is rendered useless now. Users that bought the SYRUP token (not recommended as per disclaimer on  PancakeSwap) for staking purposes (one cake would exchange for about three syrup tokens in the market) are now at a loss. At this point, the community is trying to get compensation for their losses, but PancakeSwap is standing its ground, re-stating that users should not have bought the token. Meanwhile, a possible solution has been proposed using the project's governance feature.

CertiK Audit

Even though PancakeSwap has been audited by Certik and paid for insurance, they are not covered for the losses as the contract only was audited in "delta," meaning they only checked things that were different from the original SUSHI contract. PancakeSwap therefore was unable to put in a claim at Certik insurance.

Staking Resumes

Current staking pools for CAKE (former syrup pools) have been relaunched, where users can now stake their CAKE tokens.

Available pools consist of the following: CAKE, HARD, CTK, bROOBEE, STAX, and NYA

https://pancakeswap.finance/staking

Have fun and do your research(DYOR) while stacking those CAKE's.

Tags:
No items found.
Rich

Richard is a multilingual writer, located in the Netherlands, husband and father, cryptocurrency and tech enthousiast enjoys long walks and bicycle rides. Fervent Binance Smart Chain projects promotor.