365 hack event(s)
Description of the event: The DTXT/USDT liquidity pair on BSC was exploited. The attacker exploited a forgeable liquidity-addition detection logic in the DTXT contract (by sending a small amount of USDT directly to the pair address, tricking the contract into classifying large sells as liquidity additions). This bypassed sell fees and drained the pool, resulting in a loss of approximately $35,041 USDT.
Amount of loss: $ 35,041 Attack method: Business Logic Vulnerability
Description of the event: The ATM token on BSC was exploited due to a flaw in its custom transferFrom() function logic (which automatically swapped ~20% of transferred amounts to BSC-USD). The attacker repeatedly triggered the mechanism to drain approximately $243,500 from the protocol.
Amount of loss: $ 243,500 Attack method: Smart Contract Vulnerability
Description of the event: The public triggerAutoBurn() maintenance function in BYToken contract on BSC was abused. The attacker took a Moolah flashloan (~422k WBNB), performed Pancake swaps, then called the unprivileged function. This burned ~67.8 quadrillion BY directly from the BY/WBNB pair and called pair.sync(), rewriting reserves to 1 BY + full WBNB. The extreme skew allowed massive BY sells to drain nearly all WBNB liquidity, netting the attacker ~146.60 BNB ($87,402).
Amount of loss: $ 87,402 Attack method: Smart Contract Vulnerability
Description of the event: ApeBond's ApeYieldVault smart contract on BSC was exploited. The attacker used a public helper contract to call migrateToVotingEscrow with duplicate pool IDs, inflating a lock amount from ~1.71 quadrillion ABOND to ~29 quadrillion ABOND. They then unlocked, claimed the inflated lock, sold ABOND in the public ABOND/WBNB pool, repaid a Moolah flashloan, and kept ~5.72 WBNB profit. The entire flow was permissionless and on-chain.
Amount of loss: $ 3,421 Attack method: Smart Contract Vulnerability
Description of the event: The DeFi project TesseraDAO (TSR token) on BNB Chain was attacked. Hackers gained control of the core contract, minted 99 million TSR tokens, and sold them on PancakeSwap for approximately $2.4 million, causing the TSR price to plummet 99%. The funds were bridged to Ethereum and laundered via Tornado Cash.
Amount of loss: $ 2,400,000 Attack method: Private Key Leakage
Description of the event: The DeFi project AROS on BSC was exploited. The attacker interacted with the AROS/USDT PancakeSwap liquidity pool and drained approximately $295.3K USDT.
Amount of loss: $ 295,300 Attack method: Smart Contract Vulnerability
Description of the event: Computility-associated YSDAO project on BSC suffered a liquidity pool attack on PancakeSwap V2. The hacker manipulated reserves via contract calls and extracted funds, resulting in approximately $19.5K loss.
Amount of loss: $ 19,500 Attack method: Reserve Manipulation Attack
Description of the event: The Joe Agent ($JOE) project smart contract had a single-function reentrancy vulnerability. The attacker exploited the logic in _removeLiquidityViaContract where BNB was sent via low-level call before updating lpInfo[user].lpAmount, performing ~25 reentrancy loops to steal 62.5 BNB and ~1.196M JOE.
Amount of loss: $ 45,000 Attack method: Reentrancy Attack
Description of the event: Legacy liquidity locker contracts of DxSale (a veteran DeFi launchpad on BNB Chain) were exploited, draining approximately $7.3 million from over 1,400 old LPs locked since 2021. The attacker used owner privileges via a custom drainer to set near-zero fees, backdate unlock times to 1970, and withdraw funds; on-chain links suggest possible team connections, with the platform remaining silent.
Amount of loss: $ 7,300,000 Attack method: Ownership Override Attack
Description of the event: On May 27, 2026, Superfortune ($GUA) experienced a security incident. The team intended to transfer additionally unlocked tokens to the airdrop claim contract address. However, during the multisig transaction execution, the recipient address was altered, resulting in approximately 14.98 million GUA (worth about $15.18 million at the time) being sent to a suspected hacker-controlled address. The attacker subsequently dumped all the tokens on-chain for roughly 2,784 ETH (approximately $5.66 million at the time) and distributed the funds across multiple wallets. The incident caused GUA's price to plummet by 70-76%. Official preliminary investigation points to address tampering in a multisignature transaction. Although initially described as a "suspected address poisoning attack," the possibility is considered low due to no prior interaction between the hacker address and any Superfortune-related addresses. The team is continuing its investigation and will provide further updates.
Amount of loss: $ 15180000 Attack method: Multisig Address Tampering
Description of the event: On BSC, the SKP token suffered a token-side LP balance drain + sync attack. The attacker profited approximately $212.85k in a single transaction (162,854.21 USDT + 75.88 BNB). The root cause was a flaw in SKP token logic that allowed extra SKP tokens to be transferred out from the Pancake V2 SKP/USDT LP after a large buy, followed by calling sync() to write incorrect reserves, pushing the SKP reserve close to zero. The attacker used flash loans to amplify the attack.
Amount of loss: $ 212,850 Attack method: Smart Contract Vulnerability
Description of the event: On May 12, 2026, at approximately 10:11 UTC, the SQ Protocol on BNB Chain was exploited for $346,137. The attacker abused a hardcoded owner backdoor in the verified Staking contract (0x404404a845fff0201f3a4d419b4839fc419c99f7). Using a type-0x4 transaction with authorizationList, they took ownership, minted fake staking claims, redeemed ~296.5K USDT, swept SQi tokens, and dumped them in the SQi/USDT pool for additional profit. Total realized loss: approximately $346.1K.
Amount of loss: $ 346,100 Attack method: Smart Contract Vulnerability
Description of the event: The JUDAO token / liquidity pool on BSC was exploited via Flashloan-assisted Manipulation. The attacker used flash loans to manipulate pool reserves or pricing, draining funds through PancakeSwap V2 routes (e.g., BUSD-JUDAO pair). Losses included at least 205,259 USDT plus 36 BNB.
Amount of loss: $ 228,000 Attack method: Smart Contract Vulnerability
Description of the event: On April 14, 2026, attackers exploited the BurnAddress mechanism in the MONA token on BSC via a Deferred LP Burn / reserve manipulation attack. The attacker first farmed 10,000 MONA through 25 fresh accounts, sold 9,900 MONA to create a deferred burn credit, bought out most of the pool's MONA inventory, then triggered BurnAddress.burn() with a zero-value transferFrom to burn MONA directly from the LP and call sync(). This left the MONA/USDT pair with near-zero MONA but almost full USDT reserves. Finally, selling the remaining ~100 MONA drained a large amount of USDT. Flash loans from Moolah and borrowing from Venus were used for funding and fully repaid in the same transaction. The root cause was non-atomic handling in _handleSell() and burnsellMona(): USDT payout happened immediately while MONA burn was deferred and could be triggered later, breaking the AMM invariant.
Amount of loss: $ 60,950 Attack method: Reserve Manipulation Attack
Description of the event: Computility-associated TGAI project on BSC suffered a reserve manipulation attack on PancakeSwap V2 liquidity pool. The hacker used a ~$2.4M USDT flash loan, deployed multiple helper contracts to buy TGAI, manipulated reserves via sync() function with ~17.5K USDT injection, then swapped to extract profits, resulting in approximately $11.94K loss.
Amount of loss: $ 11,940 Attack method: Reserve Manipulation Attack
Description of the event: According to ExVul monitoring, a TMM/USDT reserve manipulation attack occurred on the BSC (BNB Chain), resulting in a loss of approximately 1.665 million USDT. The attacker utilized flash loans from Lista DAO Moolah, Venus, Aave V3, PancakeSwap Vault, and Uniswap PoolManager to manipulate the TMM/USDT trading pair. By burning TMM to a dead address, the attacker reduced the pair's reserve to just 1 TMM, subsequently swapping 850 million TMM for approximately 272 million USDT. After repaying all flash loans, the attacker transferred a net profit of roughly 1.665 million USDT to associated addresses.
Amount of loss: $ 1,665,000 Attack method: Reserve Manipulation Attack
Description of the event: A user EOA on BNB Chain (with EIP-7702 delegation) that had set delegated code via an EIP-7702 Type-4 transaction was drained for ~$17.2K. The delegated code included a pancakeV3SwapCallback() function without proper access control. The attacker directly called this callback with crafted calldata, forcing the victim account to transfer its tokens to an attacker-controlled address. The victim had enabled the delegation to support swap-related logic.
Amount of loss: $ 17,200 Attack method: Smart Contract Vulnerability
Description of the event: The SAS Token on BNB Chain was exploited via a flawed custom transfer logic (Deferred Burn Exploit). The token’s custom transfer logic had a flaw: sending SAS to the LP pool only incremented a global sellBurn counter, while any subsequent ordinary transfer could burn SAS directly from the pool and call sync() to rewrite reserves, bypassing the AMM’s swap logic. The attacker accumulated sellBurn credit through sells, triggered an unrelated ordinary transfer to burn SAS from the pool down to ~1 wei, and then reverse-swapped to extract profit.
Amount of loss: $ 12,000 Attack method: Smart Contract Vulnerability
Description of the event: LML/USDT staking protocol on BNB Chain suffered a price manipulation attack. The hacker used flash loans to massively inflate the LML/USDT pool spot price, exploited a logic flaw in the staking contract’s reward calculation (which relied on a stale stored price with a 3600-second cooldown instead of live AMM price), batch-claimed oversized LML rewards from pre-staked addresses via EIP-7702, and sold them in the distorted pool for approximately $950,000 profit, causing the LML token price to crash 99.6%.
Amount of loss: $ 950,000 Attack method: Price Manipulation
Description of the event: According to monitoring by BlockSec Phalcon, a suspicious transaction targeting an unknown contract (Stake) on the BSC chain has been detected, resulting in a loss of approximately $133,000. The attacker exploited a spot price dependency vulnerability within the Stake contract. By manipulating the price of TUR in the TUR-NOBEL pool and subsequently staking TUR, the attacker triggered reward calculations based on the artificially inflated price. They then claimed the amplified rewards through a referral account and ultimately profited by swapping the stolen TUR for USDT.
Amount of loss: $ 133,000 Attack method: Price Manipulation