Calculated from recorded token losses using historical USD prices at the incident time.
0xd423ae0e95e9d6c8a89dcfed243573867e4aad29ee99a9055728cbbe0a5234390x8cf0a553ab3896e4832ebcc519a7a60828ab5740BSC0xcb5a02bb3a38e92e591d323d6824586608ce8ce4BSC0xe283d0e3b8c102badf5e8166b73e02d96d92f688BSCOn BNB Smart Chain block 34114761, transaction 0xd423ae0e95e9d6c8a89dcfed243573867e4aad29ee99a9055728cbbe0a523439 used four public Pancake V3 flash loans to distort the BUSD/WBNB price immediately before calling Elephant’s public sweep contract at 0x8cf0a553ab3896e4832ebcc519a7a60828ab5740. The sweep spent treasury BUSD from 0xcb5a02bb3a38e92e591d323d6824586608ce8ce4 through PancakeRouter 0x10ed43c718714eb63d5aa57b78b54704e256024e and accepted any output because the router call used amountOutMin = 0. The manipulated trade delivered only 195809938538532916514 raw ELEPHANT units to the graveyard 0xaf0980a0f52954777c491166e7f40db2b6fbb4fc, while a clean pre-state execution of the same public sweep would have delivered 592479600269094285940.
The root cause is a permissionless treasury-buy path that trusted live AMM spot quotes and executed with zero slippage protection. Any unprivileged adversary could sandwich the sweep with transient reserve manipulation, force the treasury to buy at a bad price, then unwind the manipulation and retain the difference as profit.
Elephant uses an unverified sweep contract at 0x8cf0a553ab3896e4832ebcc519a7a60828ab5740 to pull BUSD from its treasury and buy ELEPHANT for the graveyard address. The on-chain bytecode reconstruction shows the contract exposes public selectors for sweep(), available(), , , , and . Direct block- RPC calls confirm:
bestPath(uint256)collateralTreasury()coreTreasury()collateralRouter()34114760available() = 592479600269094285940collateralTreasury() = 0xCb5a02BB3a38e92E591d323d6824586608cE8cE4coreTreasury() = 0xAF0980A0f52954777C491166E7F40DB2B6fBb4FccollateralRouter() = 0x10ED43C718714eb63d5aA57B78B54704E256024Ewhitelist(0x1111111111111111111111111111111111111111) = falseThe verified Treasury contract at 0xcb5a02bb3a38e92e591d323d6824586608ce8ce4 is whitelist-gated. Its source proves that only whitelisted callers can withdraw treasury BUSD, and a pre-state call confirmed the sweep contract itself was whitelisted, so the public sweep entrypoint could legally pull treasury funds.
Verified Treasury source:
modifier onlyWhitelisted() {
require(whitelist[msg.sender], "not whitelisted");
_;
}
function withdraw(uint256 _amount) public onlyWhitelisted {
require(token.transfer(_msgSender(), _amount));
}
The public liquidity used for manipulation was available from four Pancake V3 pools whose token1 BUSD balances at the pre-state summed to 5439162800956148738427381 raw BUSD units.
This incident is an ATTACK, not benign MEV. The vulnerable invariant is that treasury collateral sweeps must not execute at a caller-manipulable AMM price and must not accept arbitrary output. Elephant violated that invariant in two ways. First, sweep() was callable by an unprivileged external address even though the sweep contract itself had treasury withdrawal rights. Second, the contract derived its route from live Pancake getAmountsOut quotes and then called the router with amountOutMin = 0. That combination let an attacker transiently distort the BUSD/WBNB pair, force the treasury to buy ELEPHANT at the manipulated price, and realize deterministic profit when the manipulation was unwound.
The reconstructed sweep logic is:
function sweep() external {
require(!isPaused());
uint256 amount = available();
if (amount > liquidityThreshold) {
Treasury(collateralTreasury).withdraw(amount);
router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
amount,
0,
bestPath(amount),
coreTreasury,
block.timestamp
);
lastSweep = block.timestamp;
}
}
The decisive breakpoint is the zero-slippage router call. Once the attacker distorted the BUSD/WBNB reserve ratio, the treasury buy became value-destructive by construction.
The bytecode reconstruction of 0x8cf0... identifies selector 0x35faa416 as sweep() and shows that the function body begins by checking the paused flag but does not enforce caller authorization. The same reconstruction maps storage slot 11 to treasury 0xcb5a..., slot 12 to graveyard 0xaf09..., and slot 14 to PancakeRouter 0x10ed.... Internal available() reads the treasury BUSD balance, applies daily_apr and elapsed-time logic, and produces the spendable amount. Internal bestPath(uint256) queries live router prices over direct and WBNB-intermediated paths.
Sweep reconstruction from on-chain bytecode:
0x0e9c-0x0f00 CALL Treasury.withdraw(amount)
0x1db9-0x1ed6 approve(BUSD, router) and approve(ELEPHANT, router)
0x1ed7-0x1f8b call selector 0x5c11d795 with:
(amountIn, 0, bestPath(amountIn), graveyard, block.timestamp)
The clean pre-state sweep trace shows what should have happened absent manipulation. A random non-whitelisted caller successfully invoked sweep(), the treasury transferred 193615310121918999528294 raw BUSD to the sweep contract, and PancakeRouter would have bought 592479600269094285940 raw ELEPHANT for the graveyard over the [BUSD, WBNB, ELEPHANT] path.
In the incident transaction, the attacker EOA 0xbbcc139933d1580e7c40442e09263e90e6f1d66d called helper contract 0x69bd13f775505989883768ebd23d528c708d6bcf, which nested four Pancake V3 flash loans. The helper borrowed all available BUSD from pools 0x22536030..., 0x4f3126d5..., 0x85faac65..., and 0x369482c7..., then swapped the full 5439162800956148738427381 raw BUSD into 13300112326793611701704 raw WBNB on the manipulated BUSD/WBNB pair 0x58f876857a02d6762e0101bb5c46a8c1ed44dc16.
The incident trace then records the vulnerable sweep path:
0x8Cf0...::sweep()
PancakeRouter::getAmountsOut(193627110417113639371428, [BUSD, WBNB, ELEPHANT])
Treasury::withdraw(193627110417113639371428)
PancakeRouter::swapExactTokensForTokensSupportingFeeOnTransferTokens(
193627110417113639371428,
0,
[BUSD, WBNB, ELEPHANT],
0xAF0980A0f52954777C491166E7F40DB2B6fBb4Fc,
1701858478
)
Because the BUSD/WBNB reserves had already been skewed, the treasury spent 193627110417113639371428 raw BUSD but the graveyard received only 195809938538532916514 raw ELEPHANT. After the sweep completed, the attacker sold WBNB back into BUSD, repaid the flash pools plus fees, and transferred the residual 114393958203315523088130 raw BUSD units to the originating EOA. Valuing gas at the pre-state BUSD/WBNB price yields a gas cost of 4099702450846898449 raw BUSD units and a net post-gas profit of 114389858500864676189681.
The adversary execution was a single-transaction ACT sequence:
0xbbcc139933d1580e7c40442e09263e90e6f1d66d sent one normal transaction to helper contract 0x69bd13f775505989883768ebd23d528c708d6bcf.5439162800956148738427381 raw BUSD.sweep() function on 0x8cf0....The balance diff and trace identify the attacker-controlled addresses and the profit realization path without requiring any attacker-private artifact, calldata template, or privileged state.
The measurable loss is treasury BUSD value transferred to the attacker through manipulated execution quality. The attacker received 114393958203315523088130 raw BUSD units in the final transfer and remained net positive after gas. The treasury at 0xcb5a02bb3a38e92e591d323d6824586608ce8ce4 spent 193627110417113639371428 raw BUSD in the manipulated sweep, while the graveyard received only 195809938538532916514 raw ELEPHANT instead of the 592479600269094285940 raw ELEPHANT obtainable from the clean pre-state.
Affected public protocol components:
0x8cf0a553ab3896e4832ebcc519a7a60828ab57400xcb5a02bb3a38e92e591d323d6824586608ce8ce40xe283d0e3b8c102badf5e8166b73e02d96d92f6880xd423ae0e95e9d6c8a89dcfed243573867e4aad29ee99a9055728cbbe0a523439sweep() execution trace from block 34114760available() and random-caller whitelist checkswithdraw(uint256) is whitelist-gated