All incidents
Loading report...
Overview
Code Analysis
Execution Trace
Root Cause Analysis
Rendering incident details
0x586a2a4368a1a45489a8a9b4273509b524b672c33e6c544d2682771b44f05e870x050163597d9905ba66400f7b3ca8f2ef23df702dEthereum0x71e1f8e809dc8911fcac95043bc94929a36505a5EthereumAt Ethereum mainnet block 21132838, transaction 0x586a2a4368a1a45489a8a9b4273509b524b672c33e6c544d2682771b44f05e87 used a Balancer flash loan to drain the ETH treasury of Aethia's ChiSale contract at 0x050163597d9905ba66400f7b3ca8f2ef23df702d. The attacker first exhausted the remaining bonus tiers, then executed a second self-referred purchase that caused ChiSale to refund almost the entire overpayment while also paying a 22% referral rebate to the attacker-controlled receiver. The sale contract fell from 5780780000000000000 wei to 12 wei, while the attacker EOA finished with 5774956528983802003 wei more ETH after gas.
The root cause is a concrete accounting bug in ChiSale.buy(address). The function caps tokensToBuy against the absolute maxBonusThreshold instead of the remaining sellable capacity, computes the refund from that incorrect cap, and separately pays referral revenue from gross msg.value. Once tokensSold is pushed to the final threshold and inventory is nearly empty, a self-referred overpay lets buyer-controlled addresses receive more ETH back than the economically valid purchase should allow.
ChiSale sells CHI at a fixed 0.001 ether per base token and tracks progress through tokensSold, bonusIndex, and . The verified source at exposes , , and bonus-tier getters. Pre-state evidence immediately before the exploit shows:
maxBonusThreshold0x050163597d9905ba66400f7b3ca8f2ef23df702dbuy(address)getSoldTokens()tokensSold = 6507maxBonusThreshold = 2500000CHI balanceOf(ChiSale) = 2488617ChiSale ETH balance = 5780780000000000000The attack is fully permissionless. The transaction sender 0xee4073183e07aa0fc1b96d6308793840f02b6e88 called the public Balancer Vault flash-loan entrypoint at 0xba12222222228d8ba445958a75a0704d566bf2c8, used its own receiver contract 0x931b8905c310ab133373f50ba66feba2793f80ea, and used helper contract 0x83f015cf92626fba4368a2c8489eb01fa3e6044b to perform the preparatory purchase. Storage evidence ties both contracts to the same EOA owner.
The bug is not in Balancer or CHI. It is in ChiSale’s purchase accounting. Inside buy(address), the contract derives tokensToBuy = msg.value / TOKEN_PRICE, then checks whether that amount exceeds maxBonusThreshold. If it does, the contract truncates tokensToBuy to maxBonusThreshold and sets remainder = msg.value - tokensToBuy * TOKEN_PRICE. That logic treats maxBonusThreshold as if it were remaining capacity, even though it is an absolute ceiling unrelated to tokensSold.
The same function then calls calculateBonusTokens(tokensToBuy), increments tokensSold by the truncated tokensToBuy, transfers either tokensToBuy + bonusTokens or the contract’s remaining CHI balance, and finally pays msg.value * 22 / 100 to the referral address before returning the computed remainder to the buyer. After the sale tiers are exhausted, calculateBonusTokens returns zero, but the contract still pays the referral rebate on the full overpayment and still refunds based on the wrong cap. The explicit invariant violation is that ETH outflows during a purchase are no longer bounded by actual deliverable inventory.
The relevant source lines are:
if (tokensToBuy > maxBonusThreshold) {
tokensToBuy = maxBonusThreshold;
remainder = msg.value - tokensToBuy * TOKEN_PRICE;
}
...
if (referralAddress != address(this) && referralAddress != address(0)) {
referralAddress.send(msg.value * REVENUE_SHARE_PERCENTAGE / 100);
}
if (remainder > 0) {
msg.sender.transfer(remainder);
}
The exploit begins from a public pre-state in which ChiSale still holds both CHI inventory and an ETH treasury. The attacker borrows 25000 WETH from Balancer, unwraps it to ETH, and uses helper contract 0x83f015cf92626fba4368a2c8489eb01fa3e6044b to buy 1993493 base tokens for 1993493000000000000000 wei. The trace shows that this first purchase transfers 2456112 CHI to the helper and pays 438568460000000000000 wei to the attacker-controlled receiver as referral revenue:
0x83F015...::test{value: 1993493000000000000000}(...)
0x050163...::buy{value: 1993493000000000000000}(0x931b8905...)
0x71E1f8...::transfer(0x83F015..., 2456112)
0x931b8905...::fallback{value: 438568460000000000000}()
emit LogChiPurchase(..., 1993493, ...)
That first step advances tokensSold from 6507 to the final threshold 2000000, leaving only 32505 CHI in the sale contract. The attacker then performs the decisive second purchase directly from the receiver with 18457751454545454545400 wei and self-refers to the same receiver address. At that point, the remaining economic capacity is only 500000 base tokens and the actual inventory is only 32505 CHI, but buy still prices the purchase as 2500000 tokens because it compares against the absolute maxBonusThreshold.
The trace captures the resulting mismatch:
0x71E1f8...::transfer(0x931b8905..., 32505)
0x931b8905...::fallback{value: 4060705319999999999988}()
0x931b8905...::fallback{value: 15957751454545454545400}()
emit LogChiPurchase(..., 2500000, ...)
Only the final 32505 CHI are transferred, yet ChiSale sends out both a 4060705319999999999988 wei referral payment and a 15957751454545454545400 wei refund. Combined with the first-stage referral payment, those ETH outflows consume the sale contract’s pre-existing treasury and leave 12 wei behind. The balance-diff artifact confirms the post-state:
{
"address": "0x050163597d9905ba66400f7b3ca8f2ef23df702d",
"before_wei": "5780780000000000000",
"after_wei": "12",
"delta_wei": "-5780779999999999988"
}
This behavior is deterministic and reproducible because every required component is public: Balancer flash liquidity, ChiSale’s source and state, and the sale’s residual ETH balance.
The adversary flow is a single transaction with three clear stages.
First, the EOA 0xee4073183e07aa0fc1b96d6308793840f02b6e88 invokes Balancer Vault flashLoan and routes the loan into receiver contract 0x931b8905c310ab133373f50ba66feba2793f80ea:
0xBA122222...::flashLoan(0x931b8905..., [WETH], [25000000000000000000000], 0x)
WETH9::transfer(0x931b8905..., 25000000000000000000000)
Second, the receiver unwraps WETH, calls its helper to perform the tier-exhausting purchase, and receives the first referral rebate. This stage is what moves the sale to the final threshold where the bug becomes profitable.
Third, the receiver performs the self-referred overpayment, receives the final CHI inventory plus the oversized refund and referral rebate, then re-wraps exactly 25000 ETH into WETH and repays Balancer. The remaining ETH is forwarded to the EOA. The balance-diff artifact shows the final EOA profit:
{
"address": "0xee4073183e07aa0fc1b96d6308793840f02b6e88",
"before_wei": "5285453757312471491",
"after_wei": "11060410286296273494",
"delta_wei": "5774956528983802003"
}
Because no privileged keys, admin actions, or private orderflow are needed, the sequence is an ACT exploit rather than a privileged compromise.
The direct loss is the depletion of ChiSale’s ETH treasury:
5780779999999999988 wei1812 weiThe attacker cluster also acquires the entire remaining CHI inventory of 2488617 tokens, but the root-cause loss accounting is properly centered on the drained ETH treasury because that is the monetized protocol loss confirmed by the balance diff. The exploit is severe because it is single-transaction, permissionless, and repeatable whenever comparable preconditions exist.
0x586a2a4368a1a45489a8a9b4273509b524b672c33e6c544d2682771b44f05e870x050163597d9905ba66400f7b3ca8f2ef23df702d0x71e1f8e809dc8911fcac95043bc94929a36505a50xba12222222228d8ba445958a75a0704d566bf2c8/workspace/session/artifacts/collector/seed/1/0x586a2a4368a1a45489a8a9b4273509b524b672c33e6c544d2682771b44f05e87/metadata.json/workspace/session/artifacts/collector/seed/1/0x586a2a4368a1a45489a8a9b4273509b524b672c33e6c544d2682771b44f05e87/trace.cast.log/workspace/session/artifacts/collector/seed/1/0x586a2a4368a1a45489a8a9b4273509b524b672c33e6c544d2682771b44f05e87/balance_diff.jsonhttps://repo.sourcify.dev/contracts/partial_match/1/0x050163597d9905ba66400f7b3ca8f2ef23df702d/sources/ChiSale.sol