Mediaboss Marketing

A BNB Chain rug pull scammed users out of $2 million worth of BNB ($11 million at todays prices). Users asked Binance for help, and Binance said it had frozen the funds but then retracted the statement. The funds sat in the address for nearly two years until Binance suddenly took action to freeze the scammers wallet, which had grown to $10.8 million. Previously, Binance had stated that it could not freeze wallets outside of exchange addresses due to BNB Chains decentralized nature. Users were unhappy and demanded that Binance do more. This is the story of the PopcornSwap scam.

On Jan. 28, 2021, the BNB Chain-based decentralized exchange PopcornSwap executed an exit scam, stealing over $2 million of liquidity providers assets through a little-known preUpgrade function contained in the exchanges smart contract. Users held out hope that Binance, which created BNB Chain, could freeze the scammers address.The BNB (BNB) held in the scammers account slowly grew to over $10 million in value as users speculated on whether or not the funds had been frozen.

An investigation reveals that contrary to popular belief, Binance is, in fact, able to freeze private wallet addresses on BNB Chain so long as all validators consent. Although Binance ultimately froze the attackers address, the action occurred nearly two years after the scam. The attacker voluntarily kept funds in the original account in the intervening two years and did not move them.

In 2021, PopcornSwap became one of the first decentralized exchanges on the newly launched Binance Smart Chain (BSC), later renamed BNB Smart Chain. Some of the networks users flocked to PopcornSwap to deposit liquidity, hoping to profit from the high trading volumes they expected to materialize on BSC. But instead of getting the record yields they had expected, they lost all the funds they had deposited.PopcornSwap was a fork of PancakeSwap, itself a fork of SushiSwap on Ethereum. And it just so happened that SushiSwap contained a preUpgrade function that allowed developers to approve themselves as spenders for every liquidity provider (LP) token, letting them drain all the assets held by the protocol.

Between 1:26 pm and 5:53 pm UTC on Jan. 28, 2021, a BSC address known as Fake_Phishing7 used the aforementioned function to drain the protocols $2 million worth of crypto, swapping all of it into the networks native coin, BNB, in the process.PopcornSwap LPs lost everything. The attack ended when Fake_Phishing7initiated a final transaction, swapping 250,913 Binance-pegged USD Coin (USDC) for 5,536 BNB. This left the scammer with approximately 48,511 BNB, worth $2 million at the time (and $10.8 million now), held in its address.

In the wake of the rug pull, victims formed a Telegram group called PopcornSwap Rugpull and urged one another to reach out to Binance and report the fraud, asking the exchange to freeze the scammers address before any funds could be cashed out.Some users believed that Binance could freeze the scammers private wallet address, while others argued it was impossible, as a centralized exchange could not freeze a private wallet address.

Related: Binance pushes new stablecoin as it confirms plan to cease BUSD support

On Jan. 29, 2021, Binance responded to one of the PopcornSwap victims. A user who calls themselves Richie posted an image of the email they received. In it, the Binance customer service agent mistakenly stated that the wallet of the scammer has been frozen. The customer service agent urged Richie and all PopcornSwap users to be patient until the whole situation gets resolved by the authorities.

But by October 2022, the stolen funds remained unmoved, and all attempts to get customer service to respond were met with form letters asking users to contact the police. The PopcornSwap victims were bewildered by the exchanges seemingly callous response to their requests for reimbursement. However, blockchain data shows that at the time of these complaints, Binance did not have any possession of the stolen funds, nor was it affiliated with the entity that stole users money.

Contrary to the statement from Binances customer service representative, data from BNB Smart Chain shows that the scammers address was not frozen before Oct. 6, 2022. Instead, the funds remained in the attackers account and were never deposited to a centralized exchange nor bridged to another network. The scammer failed to cash out their stolen loot and never profited from the attack. But this failure was due to the scammers seeming own lack of initiative, not due to any freezing action performed by Binance.

On Oct. 6, 2022, in an attack completely unrelated to the PopcornSwap scam, the BSC Token Hub bridge was exploited for over $570 million. The exploiter used a loophole within the bridge code to issue 2 million BNB on BSC without first depositing it to the Beacon Chain side of the bridge. This meant that the total supply of BNB increased by 2 million on BSC.

The attacker immediately bridged $100 million worth of the exploited BNB to other networks, effectively putting the funds out of reach of BSC validators. In response, BSC developers proposed a hard fork of the network that would shut down the bridge and freeze the exploiters address. While drafting this proposal, the team also included a line in the code to freeze the PopcornSwap scammers address.

This upgrade was unanimously approved by all of BNB Chains validators. As a result, both the bridge exploiters and PopcornSwap scammers addresses were banned from performing any outgoing transactions after Oct. 6, 2022.However, the new proposal did not include code transferring the frozen funds to another address. Victims say that Binance could have done more to mitigate the incident.

In a conversation with Cointelegraph on Aug. 31, 2023, a representative from Binance confirmed that the Oct. 6, 2022 proposal to freeze the Fake_Phishing7 address was made by Binance. The representative also confirmed that it was merely a proposal, which could not be implemented without the consent of validators. In this case, the proposal was agreed to unanimously by all network validators. The representative stated:

Binance also confirmed, in agreement with blockchain data, that the funds were never moved into its possession. We can confirm that the scammer did not transfer funds to Binance, and we dont have control over the funds, they stated. BNB Chain is an open-source and decentralized ecosystem; wallets and/or their funds cannot be frozen at will [and] governance decisions are coordinated by the community.

Binance claimed that the investigation has not been closed and that the exchange stands ready to comply with police if it can be of assistance. This case remains under investigation, and our investigations team is always ready to support law enforcement in pursuit of those responsible, the representative stated.

Victims of the PopcornSwap scam lost over $2 million of their hard-earned money, and seeing that Binance developed BNB Smart Chain, they turned to it for help. The exchange initially refused to help, citing the decentralized nature of blockchains, but later reversed course and froze the scammers private address with the agreement of the BNB Chain validators.

The PopcornSwap scam also serves as a cautionary tale of the risks of using smart contracts. If a smart contract contains a loophole that allows an attacker to drain users funds, the victims will face an uphill struggle to be reimbursed by validators after the attack is completed, as forks of a chain essentially require unanimous consent to be implemented such is the nature of blockchains. In addition, take note that despite their decentralized claims, many entities can, in fact, exercise control over users assets if they wish.

Cointelegraph editor Zhiyuan Sun contributed to this story.

Magazine:$3.4B of Bitcoin in a popcorn tin The Silk Road hackers story

Go here to read the rest:

Binance's indecision to freeze BNB wallets drew controversy in this ... - Cointelegraph