Full Report
PancakeSwap uses Crowdin for localization management. This is making the website available in many different languages. The API key on the website for Crowdin had bad permissions though. Instead of only having read only permissions it had writable permissions as well. This means a user could have changed the localization, such as English, to change the content of the website. This could have allowed phishing to take place to steal a bunch of money from the platform. Web bug in a cryptocurrency project that was quite bad. Good find!
Analysis Summary
# Vulnerability: PancakeSwap Crowdin API Write Misconfiguration Leading to Content Injection
## CVE Details
- CVE ID: Not Assigned (Information sourced from a bug bounty report, institutional CVE ID not provided in the text)
- CVSS Score: Critical (Severity based on threat of phishing and content alteration, exact score unavailable)
- CWE: CWE-284 (Improper Access Control / Insufficient Authorization) - Inferred
## Affected Systems
- Products: PancakeSwap website utilizing Crowdin for localization management.
- Versions: Unknown specific versions, but applies to the configuration present before the patch/revocation.
- Configurations: Crowdin Project ID `422458` using an API key with write permissions instead of read-only permissions.
## Vulnerability Description
PancakeSwap integrated Crowdin, a localization management platform, to handle website translations. The security flaw existed because the API key used for these integrations (specifically for project ID 422458) was provisioned with **full write access** to the localization system, rather than the necessary read-only permissions. An attacker leveraging this misconfiguration could use the Crowdin API to inject arbitrary or malicious text into any existing localization string, including the primary English version of the PancakeSwap website. This could facilitate phishing attacks by altering user interface text to redirect users to malicious sites or trick them into performing unintended token swaps.
## Exploitation
- Status: Proof of Concept (PoC) available, but not reported as exploited in the wild prior to disclosure.
- Complexity: Low to Medium (Requires identifying the API key through network inspection and performing subsequent API calls).
- Attack Vector: Network (Remote exploitation via the public Crowdin API).
## Impact
- Confidentiality: Low (No direct sensitive data exposure mentioned).
- Integrity: High (Ability to alter public-facing website content, leading to phishing, misinformation, and potential financial loss for users).
- Availability: Low (Service remains available, but integrity of content is compromised).
## Remediation
### Patches
- **Action Taken:** PancakeSwap immediately **revoked the compromised Crowdin API token**. This action automatically blocked any further content injection via this vector.
- Versions: Not applicable, as the fix was configuration/credential revocation, not a software version upgrade.
### Workarounds
- Temporary mitigation involved isolating or revoking access to the Crowdin translation service API key until a properly permissioned, read-only key could be implemented (inferred best practice).
## Detection
- **Indicators of Compromise:** Unexpected, unapproved, or unauthorized changes in localization strings displayed on the PancakeSwap website.
- **Detection Methods and Tools:** Monitoring network traffic for non-standard write operations against the Crowdin API endpoints by the integrated service account. Reviewing administrative logs within the Crowdin project management interface for unauthorized content insertions or approvals.
## References
- Vendor Advisories: Report published on Immunefi (Jun 8, 2021).
- Relevant Links:
- Proof of Concept API endpoint structure provided in report: `h_ttps://api.crowdin.com/api/v2/projects/422458/languages/es-ES/translations?field=6&limit=200` (Defanged for safety).
- Crowdin API Documentation referenced: `h_ttps://supportc.crowdin.com/api/v2/#operation/api.projects.translations.post` (Defanged for safety).
- Bug Bounty Platform: `h_ttps://immunefi.com/bounty/pancakeswap` (Defanged for safety).