A vulnerability in the PancakeSwap crypto lottery protocol has been fixed before any bad actors could exploit it. The developer team is now divulging all the details.
In a post mortem type article on March 29, the PancakeSwap team detailed a bug in its lottery smart contract. A whitehat hacker discovered the critical vulnerability before any funds were stolen.
Blockchain and smart contract security firm Immunefi, in cooperation with a whitehat known as “Thunder,” facilitated the patch.
Lottery Bug Patched
The post mortem elaborated on the vulnerability. It allowed a ‘multibuy’ function to purchase tickets while the lottery was still in the drawing phase.
“This meant that a user could see the lottery draw transaction, compute the winning lottery number, buy the right ticket during the draw, and frontrun with a high gas fee to win the lottery.”
It added that the block time is relatively short on Binance Smart Chain. So, computations for the winning ticket would need to be done quickly and would cost a very high gas fee.
At around $12 per CAKE and 20,000 CAKE per lottery, $240,000 per lottery could have been discreetly and repeatedly stolen. The team updated the smart contract to prevent compromised lottery draws in the future.
Every 12 hours the automated market maker runs a CAKE lottery which costs 1 CAKE per ticket. This gives the holder a random four-digit combination of numbers between 1 and 14. Participants must match all four numbers to win the pot.
PancakeSwap has hosted a million-dollar bug bounty with Immunefi, which launched on March 26.
DEX TVL and CAKE Price Update
According to crypto wallet provider Debank, PancakeSwap actually surpassed Uniswap in daily volumes briefly last week. DappRadar is reporting a total value locked for both DEXs at around $5.4 billion today.
PancakeSwap’s native token, CAKE, is trading for $16.97. This is a 4% gain from its daily open. It hit an all-time high of just under $20 on Feb. 20 and was close to tapping those levels again over this past weekend.