Calculated from recorded token losses using historical USD prices at the incident time.
0x88ff4f62a75733c0f5afe58672121568a680de84BSC0x65f11b2de17c4af7a8f70858d6ccb63aac215697BSCOn BNB Smart Chain block 20120885, attacker EOA 0x2723e1f6a9a3cd003fd395cc46882e4573cb249f used helper contract 0xb7b0fe129fefa222efd4eb1f6bef9de339339bbb to call the QIXI/WBNB PancakeSwap V2 pair 0x88ff4f62a75733c0f5afe58672121568a680de84 in transaction 0x16be4fe1c8fcab578fcb999cbc40885ba0d4ba9f3782a67bd215fb56dc579062. The pair sent out 6894371397414556949 wei of WBNB during a flash-swap callback, and the helper repaid the invariant with fabricated QIXI created from a zero starting balance. The pair was left with only 1000000000000000 wei of WBNB, while the helper retained 6894371397414556949 wei of WBNB.
The root cause is an unchecked arithmetic bug in QIXI token 0x65f11b2de17c4af7a8f70858d6ccb63aac215697. Its _transfer path performs ten unchecked _basicTransfer debits before the later SafeMath.sub guard, so a sender with zero balance can underflow on the first dust transfer and then emit an arbitrarily large transfer to the pair.
The victim market is a PancakeSwap V2 pair between QIXI and WBNB. A PancakeSwap V2 pair allows a caller to request output tokens with non-empty callback data, receive the tokens immediately, and then satisfy the pair invariant inside a callback before the swap completes.
The QIXI token was deployed with Solidity 0.4.25, where unchecked arithmetic wraps on underflow. In such code, SafeMath only protects the specific operations where it is applied; any earlier raw balance mutation remains exploitable if attacker-controlled.
0x16be4fe1c8fcab578fcb999cbc40885ba0d4ba9f3782a67bd215fb56dc579062uint256-=The attacker sequence required only public information and standard on-chain privileges. The attacker deployed a helper contract in transaction 0x821460706d3f2dbc618efa18e9c1e7da7972b5da66e68829a61892b2637d7958, configured the helper to target the QIXI token in transaction 0x9b67ddcabf61ad0b875e4af76828cf867bf34753e246d9ffdcf28b8c21b276b9, and then executed the draining flash-swap in transaction 0x16be4fe1c8fcab578fcb999cbc40885ba0d4ba9f3782a67bd215fb56dc579062.
This incident is an ATTACK-class ACT exploit caused by broken token accounting, not by privileged access or a special attacker-side artifact. The critical invariant is straightforward: any token transfer path must ensure that the sender's debits never exceed the sender's pre-transfer balance. QIXI violates that invariant because BaseToken._transfer computes freeToken = value / 10000, performs ten _basicTransfer calls to pseudo-random addresses, and only afterward executes balanceOf[from] = balanceOf[from].sub(value).
Because _basicTransfer uses raw arithmetic, the first debit from a zero-balance sender wraps instead of reverting. After the wraparound, the later SafeMath debit succeeds, the pair receives an enormous QIXI balance increase, and PancakeSwap accepts the callback because the pair reserve check only sees that enough token balance was returned. The exploit therefore converts a zero-balance sender into an account that can fabricate enough QIXI to drain the pair's real WBNB reserve.
The verified QIXI source shows the vulnerable ordering directly:
function _transfer(address from, address to, uint value) internal {
...
uint256 freeToken = value / 10000;
for (int i = 0; i <= 9; i++) {
ad = address(uint160(uint(keccak256(abi.encodePacked(i, value, block.timestamp)))));
_basicTransfer(from, ad, freeToken / 10);
}
value -= freeToken;
...
balanceOf[from] = balanceOf[from].sub(value);
balanceOf[to] = balanceOf[to].add(value).sub(few).sub(burn);
}
function _basicTransfer(address sender, address recipient, uint256 value) internal returns (bool) {
balanceOf[sender] -= value;
balanceOf[recipient] += value;
emit Transfer(sender, recipient, value);
return true;
}
In the historical pre-state at block 20120884, the helper held zero QIXI and zero WBNB, while the pair held 646623366328996596407 QIXI and 6895371397414556949 WBNB. That pre-state is reproduced in the validator-side fork test and is also consistent with the archived seed trace.
The seed call trace then shows the exploit sequence end to end. First, the pair transfers out 6894371397414556949 wei of WBNB to the helper. Second, inside the callback, the helper calls QIXI transfer with the large forged amount 999999999999999000000000000000000. Third, QIXI emits ten dust Transfer events from the helper to pseudo-random addresses and then emits the large final transfer to the pair, despite the helper having started from zero QIXI.
Representative trace evidence from the archived exploit trace:
WBNB transfer from pair to helper:
amount = 0x5fadba420c821515 = 6894371397414556949
QIXI forged callback transfer to pair:
input amount = 0x314dc6448d932ae0a456589c0000
Final pair WBNB balance:
0x38d7ea4c68000 = 1000000000000000
That trace outcome is exactly what the broken invariant predicts. The pair does not know that the returned QIXI was fabricated by an underflow; it only observes that its token balance increased enough to finalize the swap. The exploit therefore drains real WBNB while repaying with economically worthless minted-by-wraparound QIXI.
The adversary cluster contains EOA 0x2723e1f6a9a3cd003fd395cc46882e4573cb249f and helper contract 0xb7b0fe129fefa222efd4eb1f6bef9de339339bbb. The creator relationship is confirmed by the helper-creation artifact, which records the EOA as creator of the helper in transaction 0x821460706d3f2dbc618efa18e9c1e7da7972b5da66e68829a61892b2637d7958.
The first transaction deployed the helper. The second transaction configured the helper with the QIXI token address 0x65f11b2de17c4af7a8f70858d6ccb63aac215697. The third transaction invoked the helper's exploit entrypoint against pair 0x88ff4f62a75733c0f5afe58672121568a680de84.
At exploit time, the helper triggered a flash-swap from the pair and received almost all WBNB. The pair then called back into the helper, and the helper used the QIXI underflow to fabricate a massive token transfer back to the pair. Once the pair observed enough QIXI balance, it finalized the swap and emitted the post-swap reserve update showing a near-total WBNB depletion.
The exploit transaction metadata and helper transaction history align on the same sender, target helper, and block sequence:
0x821460706d3f2dbc618efa18e9c1e7da7972b5da66e68829a61892b2637d7958 deploy helper
0x9b67ddcabf61ad0b875e4af76828cf867bf34753e246d9ffdcf28b8c21b276b9 set token target
0x16be4fe1c8fcab578fcb999cbc40885ba0d4ba9f3782a67bd215fb56dc579062 execute flash-swap drain
The direct loss was 6894371397414556949 wei of WBNB from the QIXI/WBNB pair. The pair retained only 1000000000000000 wei of WBNB after the exploit transaction, which effectively destroyed the integrity of the pool's pricing and reserve composition.
The attacker cluster's realized profit in the reference asset was the helper's post-transaction WBNB balance minus gas paid by the EOA. The helper held 6894371397414556949 wei of WBNB after the exploit, and the EOA paid 6519165000000000 wei of native BNB gas in the same block, yielding a net gain of 6887852232414556949 wei when valuing BNB and WBNB 1:1 for this transaction.
https://bscscan.com/tx/0x16be4fe1c8fcab578fcb999cbc40885ba0d4ba9f3782a67bd215fb56dc579062https://bscscan.com/tx/0x821460706d3f2dbc618efa18e9c1e7da7972b5da66e68829a61892b2637d7958https://bscscan.com/address/0x65f11b2de17c4af7a8f70858d6ccb63aac215697#code0x88ff4f62a75733c0f5afe58672121568a680de84