We do not have a reliable USD price for the recorded assets yet.
0xe732a7bd6706cbd6834b300d7c56a8d2096723a7BSC0x5908e4650ba07a9cf9ef9fd55854d4e1b700a267BSCOn BSC, an unprivileged attacker used Pancake flash swaps to manipulate the Discover/USDT pool that ETHpledge treats as its price source. In transaction 0x8a33a1f8c7af372a9c81ede9e442114f0aabb537e5c3a22c0fd7231c4820f1e9 at block 18446846 and transaction 0x1dd4989052f69cd388f4dfbeb1690a3f3a323ebb73df816e5ef2466dc98fa4a4 at block 18446926, the attacker drained nearly all USDT from pair 0x92f961b6bb19d35eedc1e174693aaba85ad2425d, called ETHpledge::pledgein, received an abnormally large Discover inviter reward through an attacker-controlled helper, sold the drained Discover back into the market, repaid the flash swaps, and kept the residual WBNB profit.
The root cause is ETHpledge's oracle design. getprice() reads the live Discover/USDT pair balance ratio, and team() immediately converts a USDT-denominated reward into Discover using that spot value. Because the pair is flash-loan-accessible, an attacker can collapse _swapprice for a single transaction and force ETHpledge to overpay Discover rewards to an attacker-selected inviter address.
ETHpledge at 0xe732a7bd6706cbd6834b300d7c56a8d2096723a7 accepts USDT pledges and pays additional Discover token rewards to inviter addresses. Discover is the token at 0x5908e4650ba07a9cf9ef9fd55854d4e1b700a267, and the protocol reads its price from the Pancake pair 0x92f961b6bb19d35eedc1e174693aaba85ad2425d.
The relevant victim-side pricing logic is direct and manipulable:
function getprice() public view returns (uint256 _price) {
uint256 lpusdtamount = usdt.balanceOf(_lpaddr);
uint256 lpotheramount = other.balanceOf(_lpaddr);
_price = lpusdtamount * 10**18 / lpotheramount;
}
ETHpledge also lets a caller establish an inviter address on first pledge. During pledgein, the contract records inviter[msg.sender] = fatheraddr and then calls team(amountt), which uses the current _swapprice to size Discover payouts to upstream inviters. This means reward recipients are attacker-controllable if the attacker can prepare a helper address with a nonzero pledge.
Discover's transfer logic blocks buys from configured swap pairs, but it still allows sells into a swap pair via _transferSell(). That behavior matters because it lets an attacker convert the drained Discover reward back into USDT during the same transaction:
if (isSwapPair(from) && !_isExcludedFromFee[to]) {
require(!isSwapPair(from), "Can not buy");
}
if (isSwapPair(to)) {
_transferSell(from, to, amount);
} else {
_transferStandard(from, to, amount);
}
The bug is an economic attack surface in ETHpledge's reward pricing path. The contract assumes the Discover/USDT balance ratio inside a Pancake pair is a trustworthy price oracle, but that ratio is only instantaneous AMM state and can be changed inside one transaction using flash liquidity. The vulnerable breakpoint is the sequence where pledgein() accepts attacker-controlled inviter input, team() refreshes _swapprice from the live pair, and then computes curTAmount22 = curTAmount * 10**18 / _swapprice before transferring Discover. When the attacker has already drained almost all USDT from the pair, _swapprice collapses and the computed Discover payout explodes upward. Because ETHpledge only checks whether it has enough Discover balance, not whether the price is manipulation-resistant, the reward transfer succeeds. The exploit remains ACT because all required components are public: Pancake flash swaps, the ETHpledge entrypoints, the Discover sell path, and the pool state used for pricing.
The core vulnerable logic is inside ETHpledge pledgein() and team():
function pledgein(address fatheraddr, uint256 amountt) public returns (bool) {
require(fatheraddr != msg.sender, "The recommended address cannot be your own");
if (inviter[msg.sender] == address(0)) {
inviter[msg.sender] = fatheraddr;
sharenumber[fatheraddr] += 1;
}
...
team(amountt);
return true;
}
function team(uint256 ltj) private {
...
_swapprice = getprice();
...
uint256 curTAmount = ltj.mul(rate).div(_baseFee);
uint256 curTAmount22 = curTAmount * 10**18 / _swapprice;
bool y2 = other.balanceOf(address(this)) >= curTAmount22;
require(y2, "token balance is low.");
other.transfer(cur, curTAmount22);
}
The safety invariant should be: a fixed USDT-denominated pledge must not be able to extract more Discover than intended by manipulating transient AMM balances. That invariant breaks at getprice() and curTAmount22, because the contract uses a flash-loan-manipulable spot ratio as if it were a trusted oracle.
The traces show the exact manipulated state. In the first seed transaction, the attacker borrows 2100 USDT-equivalent from pair 0x7efaef62fddcca950418312c6c91aef321375a00, then uses that to flash-borrow nearly the entire USDT side of the Discover pair, leaving only 777000000000000000 wei of USDT in the pool when ETHpledge reads price. The trace records the key calls in sequence:
0x7EFaEf62...::swap(2100000000000000000000, 0, attackerHelper, ...)
0x92f961B6...::swap(19810777285664651588959, 0, attackerHelper, ...)
0xe732a7bD...::pledgein(0xAb21300fA507Ab30D50c3A5D1Cad617c19E83930, 2000000000000000000000)
... ← [Return] 777000000000000000
PancakeRouter::swapExactTokensForTokensSupportingFeeOnTransferTokens(...)
That manipulated state translates directly into victim loss. The balance-diff artifact for the first transaction shows ETHpledge lost 62536761454652895417957 Discover and the Discover/USDT pair lost 16276811473893980928547 USDT units during the manipulation window. The second transaction repeats the same strategy at a smaller remaining inventory and drains another 352282374371987360847560 Discover from ETHpledge. The two transactions together remove 414819135826640256265517 Discover from the victim contract.
The adversary cluster is centered on EOA 0x446247bb10b77d1bca4d4a396e014526d1aba277, which sent both exploit transactions and received the final WBNB proceeds. Transaction 0x8a33...f1e9 targets helper contract 0x06b912354b167848a4a608a56bc26c680dad3d79, and transaction 0x1dd4...4a4 uses helper 0xfa9c2157cf3d8cbfd54f6bef7388fbcd7dc90bd6. Both transactions direct ETHpledge inviter rewards to helper address 0xab21300fa507ab30d50c3a5d1cad617c19e83930, which then forwards the Discover balance back to the active arbitrage contract.
The end-to-end exploit flow is:
pledgein(attackerControlledInviter, 2000e18).The balance-diff artifacts confirm the profit realization. Across the two seed transactions, the attacker EOA's native balance increases from 956643377424732472 wei to 49806928880179551582 wei, a net gain of 48854973592754819110 wei after gas.
The primary protocol loss is Discover inventory drained from ETHpledge. The two analyzed exploit transactions remove a combined 414819135826640256265517 Discover units with 18 decimals from the victim. The attacker cluster monetizes that drain by selling the Discover back into the market and finishes with 48.854973592754819110 WBNB-equivalent wei of net profit. The attack is repeatable while ETHpledge still holds Discover inventory and while the Pancake pair remains flash-loan-accessible.
0x8a33a1f8c7af372a9c81ede9e442114f0aabb537e5c3a22c0fd7231c4820f1e9 at block 18446846.0x1dd4989052f69cd388f4dfbeb1690a3f3a323ebb73df816e5ef2466dc98fa4a4 at block 18446926.0xe732a7bd6706cbd6834b300d7c56a8d2096723a7.0x5908e4650ba07a9cf9ef9fd55854d4e1b700a267.ETHpledge::pledgein, reward transfers, and router unwind.