A BNB Chain rug pull scams users out of $2 million ($11 million at today’s BNB prices). Users ask Binance for help. Binance says it has frozen the funds but then retracts the statement. The funds sat in the address for nearly two years when Binance suddenly took action to freeze the scammer’s wallet, which had grown to $10.8 million. Previously, Binance had stated that it could not freeze wallets outside exchange addresses due to BNB Chain’s decentralized nature. Users are unhappy and demand Binance to do more. This is the story of the PopcornSwap scam.
On January 28, 2021, decentralized exchange PopcornSwap on Build N Build (BNB) Chain executed an exit scam, stealing over $2 million of liquidity providers’ assets through a little known “preUpgrade” function contained in the exchange’s smart contract. Users held out hope that Binance, creator of BNB Chain, would be able to freeze the scammers’ address. The BNB held in the scammer’s account has grown to over $10 million in value since then as users speculated on whether or not the funds had been frozen.
An investigation reveals that contrary to popular belief, Binance is in fact able to freeze private wallet addresses on BNB Chain, so long as all validators consent. Although the attacker’s address was ultimately frozen by Binance, this action occurred nearly two years after the scam. In the intervening two years, the attacker voluntarily kept funds in the original account and did not move them.
The PopcornSwap rug pull
In 2021, PopcornSwap became one of the first decentralized exchanges on the newly launched Binance Smart Chain (BSC), which was later renamed “BNB Smart Chain.” Some of the network’s users flocked to PopcornSwap to deposit liquidity, hoping to profit from the high trading volumes they expected to materialize on BSC. But instead of getting the record yields they had expected, they lost all of the funds they had deposited. PopcornSwap was a fork of Pancakeswap, which was itself a fork of Sushiswap on Ethereum. And it just so happened that Sushiswap contained a “preUpgrade” function that allowed developers to approve themselves as spenders for every liquidity provider (LP) token, letting them drain all of the assets held by the protocol.
Between 1:26 p.m. and 5:53 p.m. UTC, January 28, 2021 BSC address 0xFd6042Df3D74ce9959922FeC559d7995F3933c55 used the aforementioned function to drain the protocol’s $2 million worth of crypto, swapping all of it into the network’s native coin, BNB, in the process. PopcornSwap LPs had lost everything. The attack ended at 5:53 p.m. UTC, January 28, when Fake_Phishing7 initiated a final transaction swapping 250,913 Binance-pedgged USD Coin (USDC) for 5,536 BNB. This left the scammer with approximately 48,511 BNB, worth $2 million at the time (and $10.8 million now), held in its address.
Victims ask Binance for help
In the wake of the rug pull, victims formed the PopcornRugPull Telegram group. They urged one another to reach out to Binance and report the fraud, asking Binance to freeze the scammers address before any funds could be cashed out. Some users believed that Binance could freeze the scammer’s private wallet address. Others argued that this was impossible, as a centralized exchange cannot freeze a private wallet address.
Related: Binance pushes new stablecoin as it confirms plan to cease BUSD support
The exchange takes action
On January 29, 2021 Binance responded to one of the PopcornSwap victims. A user who calls themselves “Richie” posted an image of the email they received. In it, the Binance customer service agent mistakenly stated that “the wallet of the scammer has been frozen.” The customer service agent urged Richie and all PopcornSwap users to be patient “until the whole situation gets resolved by authorities.”
But by October 2022, the stolen funds remained unmoved, and all attempts to get customer service to respond were met with form letters asking users to contact police. PopcornSwap victims were bewildered by the exchange’s seemingly callous response to users’ requests for reimbursement. However, blockchain data shows that at the time of these complaints, Binance did not have any possession of the stolen funds, nor was it affiliated with the entity that stole users’ money.
Contrary to the statement from Binance’s customer service representative, data from BNB Smart Chain shows that the scammer’s address was not frozen prior to October 6, 2022. Instead, the funds remained in the attacker’s account and were never deposited to a centralized exchange nor bridged to another network. The scammer failed to cash out their stolen loot and never profited from the attack. But this failure was due to the scammer’s own lack of initiative, not due to any freezing action performed by Binance.
The October 6, 2022 freeze
On October 6, 2022, in an attack completely unrelated to the PopcornSwap scam, the BSC Token Hub bridge was exploited for over $570 million. The exploiter used a loophole within the bridge code to issue 2 million BNB on Smart Chain without first depositing them to the Beacon Chain side of the bridge. This meant that the total supply of BNB increased by 2 million on BSC.
The attacker immediately bridged $100 million worth of the exploited BNB to other networks, effectively putting the funds out of reach of BSC validators. In response, BSC developers proposed a hard fork of the network that would shut down the bridge and freeze the exploiter’s address. While drafting this proposal, the team also included a line in the code freezing the PopcornSwap scammer’s address.
This upgrade was unanimously approved by all of BNB Chain’s validators. As a result, both the bridge exploiter’s and PopcornSwap scammer’s addresses were banned from performing any outgoing transactions after October 6, 2022. However, the new proposal did not include code transferring the frozen funds to another address. Victims say that Binance could have done more to mitigate the incident.
11/ On a positive note, it’s worth noting that Binance did freeze the wallet and BNB when a significant hack occurred, which is a positive step. However, the subsequent silence and lack of communication regarding the frozen BNB raise concerns. We deserve answers.
— neonmatrixbox (@neonmatrixbox) June 26, 2023
In a conversation with Cointelegraph on August 31, a representative from Binance confirmed that the October 6, 2022 proposal to freeze address 0xFd6042Df3D74ce9959922FeC559d7995F3933c55, also known as “Fake_Phishing7,” was made by Binance. The representative also confirmed that this was merely a proposal, which could not be implemented without the consent of validators. In this case, the proposal was agreed to unanimously by all network validators. They stated:
“At the request of PopcornSwap victims, Binance proposed blacklisting the attacker’s address alongside the BNB Bridge attacker in October 2022, which was submitted by the BNB Chain team and approved by network validators.”
Binance also confirmed, in agreement with blockchain data, that the funds were never moved into Binance’s possession. “We can confirm that the scammer did not transfer funds to Binance, and we don’t have control over the funds,” they stated. “BNB Chain is an open-source and decentralized ecosystem; wallets and/or their funds cannot be frozen at will [and] governance decisions are coordinated by the community.”
Binance claimed that the investigation has not been closed, and that the exchange stands ready to comply with police if it can be of assistance “This case remains under investigation, and our investigations team is always ready to support law enforcement in pursuit of those responsible,” it stated.
The Pocornswap scam: a cautionary tale
Victims of the PopcornSwap scam lost over $2 million of their hard-earned money as a result of it. Seeing that Binance was the developer of BNB Smart Chain, they turned to it for help. The exchange refused to help citing the decentralized nature of blockchains. However, Binance subsequently reversed course and froze the scammer’s private address with the agreement of BNB Chain validators.
The PopcornSwap scam also serves as a cautionary tale of the risks of using smart contracts. If a smart contract contains a loophole that allows an attacker to drain users’ funds, the victims will face an uphill struggle trying to get reimbursed by validators after the attack is completed, since forks of a blockchain essentially require unanimous consent to be implemented. Such is the nature of blockchains. In addition, take note that despite their decentralized claims, entities can in fact, exercise control over users’ assets if they wish.
Cointelegraph Editor Zhiyuan Sun contributed to this story.
Related: Multichain victims search for answers in $1.5B exploit as new evidence emerges