368 hack event(s)
Description of the event: The SAS Token on BNB Chain was exploited via a flawed custom transfer logic (Deferred Burn Exploit). The token’s custom transfer logic had a flaw: sending SAS to the LP pool only incremented a global sellBurn counter, while any subsequent ordinary transfer could burn SAS directly from the pool and call sync() to rewrite reserves, bypassing the AMM’s swap logic. The attacker accumulated sellBurn credit through sells, triggered an unrelated ordinary transfer to burn SAS from the pool down to ~1 wei, and then reverse-swapped to extract profit.
Amount of loss: $ 12,000 Attack method: Smart Contract Vulnerability
Description of the event: LML/USDT staking protocol on BNB Chain suffered a price manipulation attack. The hacker used flash loans to massively inflate the LML/USDT pool spot price, exploited a logic flaw in the staking contract’s reward calculation (which relied on a stale stored price with a 3600-second cooldown instead of live AMM price), batch-claimed oversized LML rewards from pre-staked addresses via EIP-7702, and sold them in the distorted pool for approximately $950,000 profit, causing the LML token price to crash 99.6%.
Amount of loss: $ 950,000 Attack method: Price Manipulation
Description of the event: According to monitoring by BlockSec Phalcon, a suspicious transaction targeting an unknown contract (Stake) on the BSC chain has been detected, resulting in a loss of approximately $133,000. The attacker exploited a spot price dependency vulnerability within the Stake contract. By manipulating the price of TUR in the TUR-NOBEL pool and subsequently staking TUR, the attacker triggered reward calculations based on the artificially inflated price. They then claimed the amplified rewards through a referral account and ultimately profited by swapping the stolen TUR for USDT.
Amount of loss: $ 133,000 Attack method: Price Manipulation
Description of the event: According to BlockSec Phalcon's monitoring, the BCE-USDT pool on PancakeSwap (BSC chain) was exploited a few hours ago, resulting in a loss of approximately $679,000. The root cause lies in a vulnerability within the BCE token's burn mechanism. The attacker deployed two malicious contracts to bypass buy/sell restrictions and trigger the token burn, ultimately extracting about $679,000 from the pool by manipulating its reserves.
Amount of loss: $ 679,000 Attack method: Reserve Manipulation Attack
Description of the event: The DeFi yield protocol Cyrus Finance (CyrusTreasury contract) on BNB Chain was exploited. The attacker used a flash loan to manipulate the PancakeSwap V3 ETH/USDT pool spot price, triggering a vulnerability in the withdrawUSDTFromAny function to over-extract liquidity from an LP position, profiting approximately $516,840 before laundering the funds via Tornado Cash in 9 batches.
Amount of loss: $ 516,840 Attack method: Flash Loan Attack
Description of the event: Venus Protocol’s Core Pool THE (Thena) market was exploited. The attacker accumulated THE tokens over 9 months, used a donation attack (direct transfer bypassing supply cap and mint) to inflate the vTHE exchange rate, combined with price manipulation borrow loops, extracted ~$3.7M in assets and left ~$2.15M in bad debt for the protocol.
Amount of loss: $ 3,700,000 Attack method: Donation Attack
Description of the event: Goose Finance, a yield farming protocol on BNB Chain, was exploited due to a share accounting flaw in the StrategyGooseEgg contract. The attacker repeatedly looped deposit() and withdraw() to mint inflated shares before rewards were settled, then redeemed them at higher value after harvest, profiting ~$8,435.
Amount of loss: $ 8,435 Attack method: Smart Contract Vulnerability
Description of the event: The AM/USDT pool on the BSC chain was exploited several hours ago, with estimated losses of approximately $131,000. The root cause lies in a vulnerability within the burn mechanism, which was exploited to manipulate the AM reserves in the pool and artificially inflate the token price. The attacker first manipulated the toBurnAmount and then triggered the burn logic after the AM balance in the pool had been adjusted. This drove the AM reserves down to an unnaturally low level, allowing the attacker to sell AM back to the pool at an inflated price to realize a profit.
Amount of loss: $ 131,000 Attack method: Reserve Manipulation Attack
Description of the event: According to BlockSec Phalcon's monitoring, a suspicious transaction targeting the MT-WBNB liquidity pool on BSC was detected several hours ago, resulting in an estimated loss of approximately $242,000. The root cause lies in a flaw within the buyer restriction mechanism: under deflationary mode, normal buy orders were reverted; however, the router and pair addresses were whitelisted. The attacker bypassed these restrictions by swapping and removing liquidity through the router to acquire MT tokens from the pair. Subsequently, the attacker sold MT to accumulate a pendingBurnAmount and invoked the distributeFees() function to directly burn MT from the trading pair, artificially inflating the price. This allowed the attacker to swap MT back for WBNB to realize a profit. Furthermore, a referral rule that allowed the transfer of the first 0.2 MT to bypass buyer restrictions enabled the attacker to initiate the exploit.
Amount of loss: $ 242,000 Attack method: Reserve Manipulation Attack
Description of the event: According to BlockSec monitoring, an unknown contract on the BSC network was exploited. The attacker leveraged a design flaw in the “burn pair” mechanism to execute two reverse swaps, resulting in losses of approximately $100,000. The attacker first drained PGNLZ tokens, then triggered PGNLP burns and price manipulation, ultimately siphoning off most of the USDT from the liquidity pool.
Amount of loss: $100,000 Attack method: Smart Contract Vulnerability
Description of the event: According to TenArmorAlert, a sandwich attack involving OLY has been detected on BSC, causing estimated losses of around $63,400.
Amount of loss: $ 63,400 Attack method: Sandwich attack
Description of the event: On the BSC network, an unknown smart contract MSCST suffered a flash loan attack, resulting in an estimated loss of approximately $130,000. The root cause of the exploit lies in the lack of access control (ACL) within the releaseReward() function of the MSCST contract, which allowed the attacker to manipulate the price of the GPC token in the PancakeSwap liquidity pool (address: 0x12da).
Amount of loss: $130,000 Attack method: flash loan attack
Description of the event: According to SlowMist founder Yu Cos and ZEROBASE officials, a malicious contract on the BSC chain, “Vault” (0x0dd2…2396), impersonated the ZEROBASE frontend to trick users into authorizing USDT. The incident is suspected to have occurred due to a compromise of the ZEROBASE frontend and was not an issue with the Binance Web3 wallet itself. So far, hundreds of addresses have been affected, with the largest single loss reaching $123,000. The stolen funds have been transferred to the Ethereum address 0x4a57…fc84. ZEROBASE has enabled an authorization monitoring mechanism, and the community is urging users to quickly revoke risky authorizations via revoke.cash.
Amount of loss: $ 123,000 Attack method: Frontend Attack
Description of the event: According to on-chain security analyst ZachXBT, the payment project GANA Payment on the BSC chain was attacked a few hours ago, resulting in an estimated loss of $3.1 million. The attacker has deposited 1,140 BNB (around $1.04 million) into Tornado Cash on BSC, and transferred funds to Ethereum via a cross-chain bridge. Of these funds, 346.8 ETH (around $1.05 million) has also been deposited into Tornado Cash on Ethereum. Currently, another 346 ETH (about $1.046 million) remains idle in an Ethereum address starting with 0x7a.
Amount of loss: $ 3,100,000 Attack method: Unknown
Description of the event: The attackers exploited a misconfigured LayerZero bridge along with a compromised private key for the GAIN BSC contract. By setting a malicious peer contract on Ethereum, they bypassed validation checks and minted 5 billion counterfeit GAIN tokens on BSC. The attackers then sold approximately 150 million of these counterfeit tokens (about 2.8% of the total fake supply) on PancakeSwap, cashing out around USD 3 million.
Amount of loss: $ 3,000,000 Attack method: Private Key Leakage
Description of the event: ABCCApp on BSC was reportedly attacked, resulting in a loss of approximately $10.1K. The root cause was that the contract’s addFixedDay() function lacked access control, and fixedDay was used in calculating claimable USDT.
Amount of loss: $ 10,100 Attack method: Contract Vulnerability
Description of the event: D3X AI (@D3X_AI) was attacked on BSC, resulting in a loss of approximately $158.9K. The root cause was that the exchange() function of contract 0xb8ad relied on the spot price of the d3xat token from a UniswapV2 pair, which the attacker exploited through a price manipulation attack.
Amount of loss: $ 158,900 Attack method: Price Manipulation
Description of the event: According to monitoring by SlowMist's MistEye security system, VDS on the BSC appears to have been attacked, with an estimated loss of around $13,000.
Amount of loss: $ 13,000 Attack method: Business Logic Flaw
Description of the event: A suspicious attack involving MEV bot 0xb5cb occurred on BSC, resulting in losses of approximately $2 million.
Amount of loss: $ 2,000,000 Attack method: Contract Vulnerability
Description of the event: According to monitoring by the SlowMist security team, the digital asset wealth management platform Nexo suffered a sandwich attack due to a lack of access control in one of its contracts, resulting in a loss of approximately $31,000.
Amount of loss: $ 31,535 Attack method: Contract Vulnerability