What does an Exploit look like?
I am posting this on my personal Medium rather than the Thugs Medium because this is truly an opinion piece. This is not the opinion of Thugs, 8ball, or anyone else associated with the Thugs project. I’m not even showing this to THE EDITOR.
Earlier I retweeted an article about the SYRUP Exploit. While I did not agree with the entirety of the article, I thought it was useful as it exposed the wallet of one of the Exploiters who took advantage of the SYRUP contract.
After a little bit of back and forth with Defi Khaled I decided to put a little bit of my research out in the world, so you can see what I see as I look this over.
So here’s the thing. It is easy to look back with hindsight and say “You should have known this was going on”. It is easy to look from the outside and say “This is obvious”. What I am about to post does not really prove any sort of intentional oversight by the folks over at Pancake. But it does shine a light on a problem that was glaringly obvious for anyone looking at the transaction log. I don’t know how many devs look at transaction logs on a regular basis, if they don’t, maybe they should. Because these patterns are hard to miss.
Let’s step back a minute. I did not start out today with any intent of digging in to the SYRUP transaction log. I really don’t have any interest in SYRUP whatsoever. What I was doing was looking at the transaction log for HOES. I wanted to see if I could find the first time that the exploit was initiated in HOES.
Again, for those in the back who can’t hear so good. I am not a Dev, I don’t code, I have no idea what lines of the smart contract allow the exploit to take place. But I do know transaction logs. I have been working on learning more about these since I volunteered to go through the THUGS LP token holders to put together the airdrop list for people who moved LP from BSCSwap to Pancake. So I went for a little dig.
What was I looking for?
Pancake was generous enough to give me the bread crumb in their post this morning. They put a link in to the Transaction for the first time the exploit was initiated on the SYRUP Contract.
This is a really small transaction, printing teeny tiny amounts of SYRUP. But the thing this does is give us the pattern of how the exploiters are attacking the contract.
When you download the transaction log to an excel spreadsheet, that same transaction looks like this.
This stands out a little bit for the number of consecutive transactions creating new SYRUP. The transactions above and below this are reflective of a “normal” transaction. Two, maybe three transactions from the 0x0000000000000000000000000000000000000000 address, mostly in different amounts.
This particular transaction looks like a test of the idea, tiny amount minted, probably wouldn’t hit anyone’s radar. This wallet tries this transaction and then goes away.
In fact, this wallet only put one other transaction on the SYRUP contract, and it does not look like a use of the exploit.
But then, you start seeing Self Destructing Smart Contracts interact with the SYRUP contract. These start turning up in intervals:
These numbers start looking suspicious. Moreso when you see batches of these show up every now and then, and alarm bells should be going off.
Now, I am not smart enough to say that these self destructing contracts aren’t part of the normal operation of SYRUP, but what I can say is I went through 10,000 lines of transactions for time periods BEFORE the first call on 10/10, and 10,000 lines of transactions AFTER the first exploit call. Prior to 10/10 this pattern does not present itself at all. After 10/10, you see this pattern all over the place.
Because BSCScan will only allow you to pull 5000 transactions at a time, and will not let you pick the time of day (to my knowledge) I was only able to look at about 9 hours for each day, give or take. But these contract interactions were definitively minting thousands if not tens of thousands of extra syrup tokens a day. These particular contracts ran out their clock and self destructed before 10/13, and the exploiter disappeared for a few days.
This is a LOT of transactions to go through, so at this point I went to spot checking. I checked several days after 10/13 up to 10/17 without finding any of these big suspicious blocks, then I checked 10/20. We’re not in Self Destructing Smart Contracts now, we’re just in to walls of SYRUP being minted.
This dude ran the exploit and didn’t try to hide the wallet he sent the SYRUP to. That wallet currently contains $27k worth of BNB…
For several days, the people running the exploit are taking out these chunks of 3000–10,000 SYRUP at a time in batches. Then on 11/1 we get a guy who decides to be more daring. He harvests a batch of nearly 40k tokens at one go.
Batches of 28k — 38k start getting minted and sent to wallets every couple of minutes on 11/1. This may be when the alarm bells finally rung. The exploiters got a little too bold and it was finally enough to be noticed. Over the course of the first 8 hours of November 1st I would estimate that around a quarter of a million SYRUP were faked.
Okay… So what does it all Mean?
Like I said at the top, it is easy to look at this stuff in retrospect and say, all the signs were there. I’m not in the Pancake Group, I don’t know those Devs.
I have heard that they were asked about there being more SYRUP tokens than CAKE tokens, which should have been impossible, and that these concerns were dismissed or ignored. Pancake guys say they did not intentionally ignore anyone. Okay, but if someone with no coding experience at all can look at the transaction log and say “This isn’t right”, then shouldn’t they have at least taken a look at this sometime in October and shut this down before these people got bold enough to print nearly 40k SYRUP every few minutes?
The Exploit Comes to HOES
I started all this by going to look at what happened with the HOES contract. So lets end there too. HOES being a fork of SYRUP had the same exploit sitting dormant in the code for the first week plus of the Traphouse because the act of simply holding HOES allowed you to earn DRUGS. It was not until the launch of GUNS and actually staking HOES that the contract became susceptible to losing tokens (GUNS) to the exploit.
Even then, it does not look like there were any attempts made on the HOES contract until 8:48am (Central Time) on Tuesday, November 3rd. If you go back to the timeline, the concerns about Pancake made it to the Thugs DAO at 7:56am. So knowing what was happening with Pancake made it easy for the DEV team to spot. It may also be that the exploiters got wind of Pancake shutting them down, so they thought they might find greener pastures with Thugs.
While the DEVS can look at the Matrix and see the patters, we normals need help. To make it easier for us, let’s take a look at the transaction log.
Just a little test transaction, just like that first one we saw on SYRUP three weeks earlier.
Okay… it worked, so now time to start collecting tokens.
This guy decided to have a little party. This is 9:52am Central Time, 3:52 UTC.
Then we get a little break when this guy decides that he milked the contract for enough. But then you will recall our DEV said we went up from 1.4% of the HOES pool being fake to 35%? Well here’s how that happened.
This guy wasn’t content to milk the pool slowly, he came in with a bang and went for a quarter of a million HOES in a hurry. Getting away with it the first time, he ran it at least two more times and hit 3/4 of a million HOES.
At least some of those HOES ended up in This Wallet: 0x47aC2A6F968c84672c91b25d0bD6588310FE84cb which also was moving MILLIONS of SYRUP Tokens. In fact, they are still moving SYRUP around with that address. Someone ought to look in to that.
So what’s the Point?
I don’t know if there really is a point, other than to say, when you are looking for suspicious activity on a public ledger, you can usually find it.
Maybe the tools do not exist for a DEV to have something watching transaction logs for something like this, and they certainly don’t have time to watch the log 24/7 for suspicious activity. But the signs were all over the SYRUP log for quite awhile before 11/3.
So the question remains, when did they REALLY know this was happening, and would they have told anyone if Beefy had not stepped in and alerted everybody to what they thought was going on?
Much like how many licks it takes to get to the center of a Tootsie Pop, The world may never know.