PancakeSwap

Since April 12th, 2021 a person who had access to a Binance Smart Chain account 0x35f16a46d3cf19010d28578a8b02dfa3cb4095a1
(PancakeSwap admin account) has stolen from PancakeSwap lottery pool 59,765 Cakes (equivalent of about $1,800,000). He used the
exploit a few times. Shortly after the last theft, the lottery game was suspended, and this account was banned by PancakeSwap.

The admin of PancakeSwap used his opportunity to manually call lottery contract methods such as:

- function drawing(uint256 _externalRandomNumber) external onlyAdmin

- function enterDrawingPhase() external onlyAdmin

He executed a few calls simultaneously (buy, enter drawing, draw) and put them all into the same block. That created for him an
opportunity to predict jackpot numbers, since the random number generator, based on the previous block hash, was no longer random.

Bad actors took advantage of a flaw in the connection between the MasterChef contract and the SyrupBar contract. Previously, when
CAKE was staked, an equivalent number of SYRUP tokens were created. The SYRUP tokens would be burnt once the CAKE was unstaked and
withdrawn. The exact attack here was that if a user invoked the MasterChef contract's emergencyWithdraw method to withdraw their
staked CAKE, the related SYRUP tokens were not burned as planned. This enabled malicious actors to mint additional SYRUP tokens
using their CAKE tokens on a regular basis.

Because there were much more SYRUP tokens in circulation than was permitted, the bad actors received a larger share of Syrup Pool
rewards.