A BNB Chain rug pull scammed users out of $2 million worth of BNB ($11 million at today’s prices). Users asked Binance for help, and Binance said it had frozen the funds but then retracted the statement. The funds sat in the address for nearly two years until Binance suddenly took action to freeze the scammer’s wallet, which had grown to $10.8 million. Previously, Binance had stated that it could not freeze wallets outside of exchange addresses due to BNB Chain’s decentralized nature. Users were unhappy and demanded that Binance do more. This is the story of the PopcornSwap scam.
On Jan. 28, 2021, the BNB Chain-based decentralized exchange PopcornSwap executed an exit scam, stealing over $2 million of liquidity providers’ assets through a little-known “preUpgrade” function contained in the exchange’s smart contract. Users held out hope that Binance, which created BNB Chain, could freeze the scammer’s address. The BNB (BNB) held in the scammer’s account slowly grew to over $10 million in value as users speculated on whether or not the funds had been frozen.
An investigation reveals that contrary to popular belief, Binance is, in fact, able to freeze private wallet addresses on BNB Chain — so long as all validators consent. Although Binance ultimately froze the attacker’s address, the action occurred nearly two years after the scam. The attacker voluntarily kept funds in the original account in the intervening two years and did not move them.
The PopcornSwap rug pull
In 2021, PopcornSwap became one of the first decentralized exchanges on the newly launched Binance Smart Chain (BSC), later renamed BNB Smart Chain. Some of the network’s users flocked to PopcornSwap to deposit liquidity, hoping to profit from the high trading volumes they expected to materialize on BSC. But instead of getting the record yields they had expected, they lost all the funds they had deposited. PopcornSwap was a fork of PancakeSwap, itself a fork of SushiSwap on Ethereum. And it just so happened that SushiSwap contained a “preUpgrade” function that allowed developers to approve themselves as spenders for every liquidity provider (LP) token, letting them drain all the assets held by the protocol.
Between 1:26 pm and 5:53 pm UTC on Jan. 28, 2021, a BSC address known as “Fake_Phishing7” used the aforementioned function to drain the protocol’s $2 million worth of crypto, swapping all of it into the network’s native coin, BNB, in the process. PopcornSwap LPs lost everything. The attack ended when Fake_Phishing7 initiated a final transaction, swapping 250,913 Binance-pegged USD Coin (USDC) for 5,536 BNB. This left the scammer with approximately 48,511 BNB, worth $2 million at the time (and $10.8 million now), held in its address.
Victims ask Binance for help
In the wake of the rug pull, victims formed a Telegram group called PopcornSwap Rugpull and urged one another to reach out to Binance and report the fraud, asking the exchange to freeze the scammer’s address before any funds could be cashed out. Some users believed that Binance could freeze the scammer’s private wallet address, while others argued it was impossible, as a centralized exchange could not freeze a private wallet address.
Related: Binance pushes new stablecoin as it confirms plan to cease BUSD support
The exchange takes action
On Jan. 29, 2021, Binance responded to one of the PopcornSwap victims. A user who calls themselves “Richie” posted an image of the email they received. In it, the Binance customer service agent mistakenly stated that “the wallet of the scammer has been frozen.” The customer service agent urged Richie and all PopcornSwap users to “be patient until the whole situation gets resolved by the authorities.”
But by October 2022, the stolen funds remained unmoved, and all attempts to get customer service to respond were met with form letters asking users to contact the police. The PopcornSwap victims were bewildered by the exchange’s seemingly callous response to their requests for reimbursement. However, blockchain data shows that at the time of these complaints, Binance did not have any possession of the stolen funds, nor was it affiliated with the entity that stole users’ money.
Contrary to the statement from Binance’s customer service representative, data from BNB Smart Chain shows that the scammer’s address was not frozen before Oct. 6, 2022. Instead, the funds remained in the attacker’s account and were never deposited to a centralized exchange nor bridged to another network. The scammer failed to cash out their stolen loot and never profited from the attack. But this failure was due to the scammer’s seeming own lack of initiative, not due to any freezing action performed by Binance.
The Oct. 6, 2022 freeze
On Oct. 6, 2022, in an attack completely unrelated to the PopcornSwap scam, the BSC Token Hub bridge was exploited for over $570 million. The exploiter used a loophole within the bridge code to issue 2 million BNB on BSC without first depositing it to the Beacon Chain side of the bridge. This meant that the total supply of BNB increased by 2 million on BSC.
The attacker immediately bridged $100 million worth of the exploited BNB to other networks, effectively putting the funds out of reach of BSC validators. In response, BSC developers proposed a hard fork of the network that would shut down the bridge and freeze the exploiter’s address. While drafting this proposal, the team also included a line in the code to freeze the PopcornSwap scammer’s address.
This upgrade was unanimously approved by all of BNB Chain’s validators. As a result, both the bridge exploiter’s and PopcornSwap scammer’s addresses were banned from performing any outgoing transactions after Oct. 6, 2022. However, the new proposal did not include code transferring the frozen funds to another address. Victims say that Binance could have done more to mitigate the incident.
11/ On a positive note, it's worth noting that Binance did freeze the wallet and BNB when a significant hack occurred, which is a positive step. However, the subsequent silence and lack of communication regarding the frozen BNB raise concerns. We deserve answers.
— neonmatrixbox (@neonmatrixbox) June 26, 2023
Binance responds
In a conversation with Cointelegraph on Aug. 31, 2023, a representative from Binance confirmed that the Oct. 6, 2022 proposal to freeze the Fake_Phishing7 address was made by Binance. The representative also confirmed that it was merely a proposal, which could not be implemented without the consent of validators. In this case, the proposal was agreed to unanimously by all network validators. The representative stated:
“At the request of the PopcornSwap victims, Binance proposed blacklisting the attacker’s address alongside the BNB Bridge attacker in October 2022, which was submitted by the BNB Chain team and approved by network validators.”
Binance also confirmed, in agreement with blockchain data, that the funds were never moved into its possession. “We can confirm that the scammer did not transfer funds to Binance, and we don’t have control over the funds,” they stated. “BNB Chain is an open-source and decentralized ecosystem; wallets and/or their funds cannot be frozen at will [and] governance decisions are coordinated by the community.”
Binance claimed that the investigation has not been closed and that the exchange stands ready to comply with police if it can be of assistance. “This case remains under investigation, and our investigations team is always ready to support law enforcement in pursuit of those responsible,” the representative stated.
The PopcornSwap scam: A cautionary tale
Victims of the PopcornSwap scam lost over $2 million of their hard-earned money, and seeing that Binance developed BNB Smart Chain, they turned to it for help. The exchange initially refused to help, citing the decentralized nature of blockchains, but later reversed course and froze the scammer’s private address with the agreement of the BNB Chain validators.
The PopcornSwap scam also serves as a cautionary tale of the risks of using smart contracts. If a smart contract contains a loophole that allows an attacker to drain users’ funds, the victims will face an uphill struggle to be reimbursed by validators after the attack is completed, as forks of a chain essentially require unanimous consent to be implemented — such is the nature of blockchains. In addition, take note that despite their decentralized claims, many entities can, in fact, exercise control over users’ assets if they wish.
Cointelegraph editor Zhiyuan Sun contributed to this story.
Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story