Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
According to sources, since April 12, 2021, a person who has access to Binance Smart Chain account 0x35f16a46d3cf19010d28578a8b02dfa3cb4095a1 (PancakeSwap administrator account) has stolen 59,765 Cakes (approximately US$1,800,000) from the PancakeSwap lottery pool. After hackers exploited the vulnerability several times, PancakeSwap banned the account. Attack method (per SlowMist): Private Key Leakage. Reported loss: $ 1,800,000.
- chain
- bsc
- protocol
- PancakeSwap
- bug_class
- private-key
- date_occurred
- 2021-04-12
- loss_usd
- $1,800,000
- source_id
- sm:pancakeswap::2021-04-12