A BNB Chain rug pull scams users out of $2 million ($11 million at today's BNB prices). Users ask Binance for help. Binance says it has frozen the fun
A BNB Chain rug pull scams users out of $2 million ($11 million at today’s BNB prices). Users ask Binance for help. Binance says it has frozen the funds but then retracts the statement. The funds sat in the address for nearly two years when Binance suddenly took action to freeze the scammer’s wallet, which had grown to $10.8 million. Previously, Binance had stated that it could not freeze wallets outside exchange addresses due to BNB Chain’s decentralized nature. Users are unhappy and demand Binance to do more. This is the story of the PopcornSwap scam.
On January 28, 2021, decentralized exchange PopcornSwap on Build N Build (BNB) Chain executed an exit scam, stealing over $2 million of liquidity providers’ assets through a little known “preUpgrade” function contained in the exchange’s smart contract. Users held out hope that Binance, creator of BNB Chain, would be able to freeze the scammers’ address. The BNB held in the scammer’s account has grown to over $10 million in value since then as users speculated on whether or not the funds had been frozen.
An investigation reveals that contrary to popular belief, Binance is in fact able to freeze private wallet addresses on BNB Chain, so long as all validators consent. Although the attacker’s address was ultimately frozen by Binance, this action occurred nearly two years after the scam. In the intervening two years, the attacker voluntarily kept funds in the original account and did not move them.
The PopcornSwap rug pull
In 2021, PopcornSwap became one of the first decentralized exchanges on the newly launched Binance Smart Chain (BSC), which was later renamed “BNB Smart Chain.” Some of the network’s users flocked to PopcornSwap to deposit liquidity, hoping to profit from the high trading volumes they expected to materialize on BSC. But instead of getting the record yields they had expected, they lost all of the funds they had deposited. PopcornSwap was a fork of Pancakeswap, which was itself a fork of Sushiswap on Ethereum. And it just so happened that Sushiswap contained a “preUpgrade” function that allowed developers to approve themselves as spenders for every liquidity provider (LP) token, letting them drain all of the assets held by the protocol.
Between 1:26 p.m. and 5:53 p.m. UTC, January 28, 2021 BSC address 0xFd6042Df3D74ce9959922FeC559d7995F3933c55 used the aforementioned function to drain the protocol’s $2 million worth of crypto, swapping all of it into the network’s native coin, BNB, in the process. PopcornSwap LPs had lost everything. The attack ended at 5:53 p.m. UTC, January 28, when Fake_Phishing7 initiated a final transaction swapping 250,913 Binance-pedgged USD Coin (USDC) for 5,536 BNB. This left the scammer with approximately 48,511 BNB, worth $2 million at the time (and $10.8 million now), held in its address.
Victims ask Binance for help
In the wake of the rug pull, victims formed the PopcornRugPull Telegram group. They urged one another to reach out to Binance and report the fraud, asking Binance to freeze the scammers address before any funds could be cashed out. Some users believed that Binance could freeze the scammer’s private wallet address. Others argued that this was impossible, as a centralized exchange cannot freeze a private wallet address.
Related: Binance pushes new stablecoin as it confirms plan to cease BUSD support
The exchange takes action
On January 29, 2021 Binance responded to one of the PopcornSwap victims. A user who calls themselves “Richie” posted an image of the email they received. In it, the Binance customer service agent mistakenly stated that “the wallet of the scammer has been frozen.” The customer service agent urged Richie and all PopcornSwap users to be patient “until the whole situation gets resolved by authorities.”
But by October 2022, the stolen funds remained unmoved, and all attempts to get customer service to respond were met with form letters asking users to contact police. PopcornSwap victims were bewildered by the exchange’s seemingly callous response to users’ requests for reimbursement. However, blockchain data shows that at the time of these complaints, Binance did not have any possession of the stolen funds, nor was it affiliated with the entity that stole users’ money.
Contrary to the statement from Binance’s customer service representative, data from BNB Smart Chain shows that the scammer’s address was not frozen prior to October 6, 2022. Instead, the funds remained in the attacker’s account and were never deposited to a centralized exchange nor bridged to another network. The scammer failed to cash out their stolen loot and never profited from the…
cointelegraph.com
COMMENTS