PancakeSwap Content Injection Bug Fix Postmortem

Summary:

Whitehat Kadabra from $SLAM Token team discovered a web content injection vulnerability that would have allowed a malicious user to inject any arbitrary text on PancakeSwap’s website. Kadabra reported this vulnerability to Immunefi on May 21, and we rated it as critical. PancakeSwap has paid the whitehat a bounty of $7,500 and patched the vulnerability. The vulnerability does not appear to have been exploited by any malicious users.

Vulnerability Analysis:

PancakeSwap uses Crowdin, a localization management platform. Localization describes the process of translating a site’s text into the various languages of users. However, the API key that was being used to create localizations was not a read-only API key, but rather had full write access to the whole system. This meant that a malicious user could have created a new localization and overwritten existing localizations, such as English, which is the main language used on PancakeSwap’s website, and injected arbitrary content. For example, a malicious user could have changed the text on the site to direct users to a phishing site or ask users to swap a particular token, among other things.

The whitehat provided a POC by making an inconsequential edit to a little-used localization on the site.

The step by step execution of the attack is as follows:

Step 1: Navigate to PancakeSwap’s website

Step 2: Inspect the network traffic upon changing the language

Step 3: Extract the API key from the headers of the “GET” request: https://api.crowdin.com/api/v2/projects/422458/languages/es-ES/translations?field=6&limit=200

Step 4: Create a new translation using the Crowdin API documentation: https://supportc.crowdin.com/api/v2/#operation/api.projects.translations.post

Step 5: Approve that translation: https://support.crowdin.com/api/v2/#operation/api.projects.approvals.post

Prior to being patched, once the translation was approved, any added or altered text would have appeared on the PancakeSwap website instantly.

Vulnerability Fix:

After receiving the report via Immunefi, PancakeSwap revoked the API token, blocking the content injection attack.

Acknowledgements:

We’d like to thank the Pancakeswap team for their rapid and effective response to the bug report. We’d also like to thank Kadabra for his tremendous work in finding and reporting the critical vulnerability. PancakeSwap paid out a bounty of $7,500 to the whitehat. To report additional vulnerabilities, please see PancakeSwap’s bug bounty program with Immunefi. If you’re interested in protecting your project with a bug bounty like PancakeSwap, visit the Immunefi services page and fill out the form.