A BNB Chain rug pull scams users out of $2 million ($11 million at today’s BNB prices). Users ask Binance for help. Binance says it has frozen the funds but then retracts the statement. The funds sat in the address for nearly two years when Binance suddenly took action to freeze the scammer’s wallet, which had grown to $10.8 million. Previously, Binance had stated that it could not freeze wallets outside exchange addresses due to BNB Chain’s decentralized nature. Users are unhappy and demand Binance to do more. This is the story of the PopcornSwap scam.
On January 28, 2021, decentralized exchange PopcornSwap on Build N Build (BNB) Chain executed an exit scam, stealing over $2 million of liquidity providers’ assets through a little known “preUpgrade” function contained in the exchange’s smart contract. Users held out hope that Binance, creator of BNB Chain, would be able to freeze the scammers’ address. The BNB held in the scammer’s account has grown to over $10 million in value since then as users speculated on whether or not the funds had been frozen.
An investigation reveals that contrary to popular belief, Binance is in fact able to freeze private wallet addresses on BNB Chain, so long as all validators consent. Although the attacker’s address was ultimately frozen by Binance, this action occurred nearly two years after the scam. In the intervening two years, the attacker voluntarily kept funds in the original account and did not move them.
The PopcornSwap rug pull
In 2021, PopcornSwap became one of the first decentralized exchanges on the newly launched Binance Smart Chain (BSC), which was later renamed “BNB Smart Chain.” Some of the network’s users flocked to PopcornSwap to deposit liquidity, hoping to profit from the high trading volumes they expected to materialize on BSC. But instead of getting the record yields they had expected, they lost all of the funds they had deposited. PopcornSwap was a fork of Pancakeswap, which was itself a fork of Sushiswap on Ethereum. And it just so happened that Sushiswap contained a “preUpgrade” function that allowed developers to approve themselves as spenders for every liquidity provider (LP) token, letting them drain all of the assets held by the protocol.
Between 1:26 p.m. and 5:53 p.m. UTC, January 28, 2021 BSC address 0xFd6042Df3D74ce9959922FeC559d7995F3933c55 used the aforementioned function to drain the protocol’s $2 million worth of crypto, swapping all of it into the…
Click Here to Read the Full Original Article at Cointelegraph.com News…