Comments (12)
Bumping this issue up, this migrator function is highlighted on Binance Docs itself as "malicious".
PancakeSwap is gaining traction in DeFi scene, seeing this particular function that may serve as a backdoor in extracting assets might scare away potential investors and/or adopters that are savvy enough to check the contract.
See the link below, Item 4:
https://www.binance.org/en/blog/how-to-identify-malicious-contract-on-binance-smart-chain/
Snippet
pancake-farm/contracts/MasterChef.sol
Line 170 in a61313b
FYI
@pancake-swap @fio666 @pancake-cat
from pancake-farm.
There's an important difference between the migrate
function on the Binance blog post and this one: the dangerous version of migrate
gives the migrator contract infinite spending approval.
Exactly that modification is what e.g., HoneySwap used for their rug pull. This is what happened in that case:
- Deploy the contract (this is before announcing HoneySwap to the public)
- Set the migrator to the attacking contract
- Call
migrate
for all pairs. Pools are empty so nothing is transferred but infinite approval is given as a side effect. - Unset the migrator (to hide the above)
- Wait
- The attack: just use the attack contract to transfer the funds (as it has infinite approval from step 3)
That rug pull used a previously granted spending approval which is impossible here: the migrate
of PancakeSwap approves a specific balance and immediately uses that full balance, so the migrator contract cannot spend any more of PancakeSwap's LP tokens afterwards.
Also note that migrate
is required for a very specific feature: the ability to migrate towards a new version of PancakeSwap.
(Note: I'm a software engineer but not seasoned in smart contracts.)
from pancake-farm.
Ok so if I think I understand this correctly, it is in FACT already removed from there smart contract code seen here:
https://bscscan.com/address/0x0e09fabb73bd3ade0a17ecc321fd13a19e81ce82#code
Can anyone confirm or correct my understanding please
from pancake-farm.
Ok so if I think I understand this correctly, it is in FACT already removed from there smart contract code seen here:
https://bscscan.com/address/0x0e09fabb73bd3ade0a17ecc321fd13a19e81ce82#code
Can anyone confirm or correct my understanding please
https://bscscan.com/address/0x73feaa1ee314f8c655e354234017be2193c9e24e#code
i think that this is the contract that you are looking for the code is in fact there i would not use pancakeswap with that backdoor there, exist alternatives to migration if fact this is worse than good for the security
from pancake-farm.
from pancake-farm.
There's an important difference between the
migrate
function on the Binance blog post and this one: the dangerous version ofmigrate
gives the migrator contract infinite spending approval.
Thanks for taking the time to dive into some detail. Could you elaborate a little on where the actual difference is? The migrate
function per-se looks identical.
from pancake-farm.
That's kind of scary
from pancake-farm.
Thanks! Can I ask how did you properly locate the right contract? I went to CMC and searched pancake and copied the contract address from there but apparently its wrong. How did you locate the proper one?
Appreciate the help!
from pancake-farm.
Thanks! Can I ask how did you properly locate the right contract? I went to CMC and searched pancake and copied the contract address from there but apparently its wrong. How did you locate the proper one?
Appreciate the help!
because its two diferent contracts the one you pick is the cake token contract the one i copy is the main staking contract that has the vulnerability
from pancake-farm.
Thanks @josemtm for your reply! How do you find that contract ID in first place?
from pancake-farm.
It is stated on the README.md (MasterChef Contract)
from pancake-farm.
Has there been any progress on this issue? Do PancakeSwap still insist it is an essential function?
from pancake-farm.
Related Issues (13)
- Dark mode
- Is the support here ? Stake LP tokens not working HOT 2
- I'm getting this weird error when I try to run the master branch locally
- A security vulnerability submission HOT 1
- Have a problem with cake-bnb stake v2 HOT 3
- Error when Added LP and dosen't return coin
- emergencyWithdraw did not burn the syrup
- Farming and pools seems not be working on testnet HOT 5
- Cannot read property 'pid' of undefined HOT 1
- Remove liquidity doesn't work well as a first LP HOT 1
- Farms HOT 1
- Is there any plan to have these contracts audited? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pancake-farm.