Why are Binance Smart Chain Projects Hacked so Often?
Binance Smart Chain, the Ethereum clone that has been mainly used by retail investors, has a plethora of decentralized applications building on its network. Unfortunately, a lot of these projects seem to get hacked. The reason for this has to do with the nature of these projects and their intention to be a get rich quick platform instead of a revolutionary finance tool.
A typical week in cryptocurrency news is almost guaranteed to always have three stories: a famous figure praises crypto, another famous figure speaks out against it, and a Binance Smart Chain project is hacked. In the past couple of months, large projects such as Pancakebunny, Uranium Finance, Meerkat Finance, Spartan Protocol, and Burgerswap have been hacked, causing damages totaling over $300 million. Retail investors, who use BSC due to its fast and cheap transaction times compared to Ethereum, experience a loss of trust in the cryptocurrency space as a whole due to the hacks, which could contribute to the mass exodus of retail investors from the cryptocurrency market.
Even though it seems odd that all of these hacks and scams are happening on BSC, there is actually a simple explanation which relates to the chain’s history and usage.
Binance smart chain was created in response to the high fees and slow transaction times on Ethereum. It basically cloned the Ethereum network and changed the consensus mechanism to only have 21 validators confirming transactions using a proof of stake model. This is more efficient than Ethereum’s proof of work mechanism, but comes at the cost of strong centralization. To their credit, BSC plans to make themselves more unique and does not consider themselves an Ethereum competitor.
However, centralization does not appear to matter to the average retail investor, as BSC has seen a massive influx of users on their platform taking advantage of their suite of decentralized applications.
Since BSC is used primarily by retail investors, and Ethereum is the main blockchain with real technical developments, many of BSC’s biggest dApps are simply clones of Ethereum’s. For example, PancakeSwap started as a direct clone of Uniswap, and Meerkat Finance’s code is extremely similar to Yearn Finance’s. There are also dApps catering directly to retail investors and taking advantage of their lack of knowledge about tokenomics. The reason that these appeal to retail investors only is because institutional investors do a lot more research about a project, and typically do not invest in clones, but instead in projects that are unique and offer value.
Many of the DeFi projects offering 1000% gains on BSC are not as lucrative as they seem. The projects typically have a useless token with a massive inflation rate, which is how they can advertise such high returns. With so little thought and care put into the long-term tokenomics, it makes sense that the development team may also forget to put checks in place to prevent hacks.
For example, the Pancakebunny protocol, which called itself a “yield aggregator,” advertised a 150% APY by giving out their BUNNY token, which had no use other than to govern the protocol. The governance rights were only over other BUNNY and CAKE tokens, so BUNNY had little use to begin with. When they were hacked, it was technically an attack on the token using economic means, not technical, but still proves that these projects offer little innovation.
Another example is Meerkat Finance’s hack. Meerkat launched their MKAT token and platform on March 3, then one day later scammed their users and stole around $30 million in user funds. Meerkat was a fork of Alpaca Finance, which was a fork of Yearn Finance. In the search for massive gains, retail investors failed to see past the shady and anonymous team and inherent problems with a triple-forked protocol. Yearn has value because it is innovative and has a first mover advantage. Alpaca, while not nearly as innovative as Yearn, is the first aggregator on BSC, and thus has some inherent value. Meerkat offered nothing to the ecosystem, yet investors trusted their money with the protocol expecting massive returns.
Spartan Protocol, a liquidity aggregator similar to Uniswap, experienced a smart contract hack in early May. A hacker took advantage of a vulnerability within the contract in order to withdraw more than their fair share of funds from the protocol’s smart contract. In this case, Spartan rushed their project, clearly before it was ready for a public release, and paid the price. Had they gone the traditional route that most legitimate projects go through, which involves multiple third-party audits, bug bounties, and thorough testnet trial runs, they would not have had this issue.
These three BSC dApp examples show the three main types of hacks that occur most frequently on the blockchain: tokenomic-related hacks, projects that were created as a scam, and smart contract vulnerabilities.
The reason that these appear so frequently on BSC, more so than Ethereum, is because scammers know that BSC is the blockchain used by speculators and retail investors due to the low barrier to entry. Projects with flaws in their tokens or smart contracts rushed into the ecosystem in order to capitalize on the mania surrounding the space, instead of focusing on building a fundamentally sound project. These projects still exist on Ethereum, but are less common due to the high upfront cost of the gas fees, and smaller number of inexperienced cryptocurrency investors using the network.
As long as BSC is the most popular smart contract chain to the general public, scam projects and vulnerable smart contracts will continue to be published. There is no solution to the problem, other than for individual investors to do their due diligence about what projects to invest in, and avoid anything that appears too good to be true.
If Ethereum 2.0 releases and becomes the main blockchain for retail investors, we can expect this mania to shift from BSC to Ethereum. This issue can never truly be fixed, and individuals can only protect themselves by only putting their money in proven and audited dApps.
By Lincoln Murr