ATK Reward Flashswap Overclaim

1. Incident Overview TL;DR

On BNB Smart Chain, an unprivileged attacker used the public ATK/USDT Pancake pair at 0xd228faee4f73a73fcc73b6d9a1bd25ee1d6ee611 to manipulate the price input consumed by reward contract 0x96bf2e6cc029363b57ffa5984b943f825d333614. The attacker first deployed helper 0xd7ba198ce82f4c46ad8f6148ccfdb41866750231, opened a qualifying depoit(100,1) position, then borrowed almost the entire USDT side of the pair inside tx 0x55983d8701e40353fee90803688170a16424ee702f6b21bb198bb8e7282112cd. While the pair's USDT balance was temporarily near zero, the helper called claimToken1(), and the victim transferred 50591735557324800000000000 ATK to the helper. In tx 0x601b8ab0c1d51e71796a0df5453ca671ae23de3d5ec9ffd87b9c378504f99c32, the attacker sold the resulting ATK and realized 127677363775463262166716 USDT.

The root cause is a same-transaction oracle design flaw. The reward contract prices claims from live ATK and USDT balances on the Pancake pair and does not protect that input with a TWAP, reserve floor, or any flash-loan-resistant validation.

2. Key Background

The victim reward contract is unverified, but the collected traces show its externally used selectors: depoit(uint256,uint256) at 0x10204da1 and claimToken1() at 0x8a809095. Auditor bytecode analysis mapped the contract's relevant storage to ATK token 0x9cb928bf50ed220ac8f703bce35be5ce7f56c99c, USDT 0x55d398326f99059ff775485246999027b3197955, referral manager 0x71d5c49eeba1a7c3a2653c9fc38dcffe85611eb5, and Pancake pair 0xd228faee4f73a73fcc73b6d9a1bd25ee1d6ee611.

The attack helper is a thin orchestrator. It approves ATK to the reward contract and router, registers an inviter, calls depoit(100,1) to create claim state, later borrows USDT from the pair via flashswap, invokes claimToken1() inside the callback, repays the pair, and then sells all ATK through PancakeRouter.

3. Vulnerability Analysis & Root Cause Summary

The vulnerability class is a price-manipulation attack against reward accounting. The reward contract derives the ATK reward rate from current Pancake pair balances and consumes that value during claimToken1(). Because the same claimant can borrow from the same pair immediately before the price read, the claimant can force the pair into an artificial reserve state that makes the reward calculation overpay. The exploit does not depend on privileged keys, attacker-owned legacy contracts, or private orderflow; any unprivileged actor able to acquire enough ATK for the qualifying deposit and access public flashswap liquidity could reproduce it. The violated invariant is straightforward: reward conversion must use a manipulation-resistant price source, and the claimant must not control the oracle state used by the same claim path. The code-level breakpoint is the victim's pair-balance read during claimToken1(), immediately before the oversized ATK transfer.

4. Detailed Root Cause Analysis

The qualifying deposit is visible in tx 0x9e328f77809ea3c01833ec7ed8928edb4f5798c96f302b54fc640a22b3dd1a52. The helper calls depoit(100, 1), the victim queries the pair balances, then pulls 971149100000000000000 ATK from the helper:

0x96bF2E6CC029363B57Ffa5984b943f825D333614::depoit(100, 1)
  0x71d5c49Eeba1a7c3a2653c9FC38DCFfe85611eb5::getInviteAddress(helper)
  ATK::balanceOf(pair) -> 1282311447063242961061164
  BEP20USDT::balanceOf(pair) -> 132040634328540635825194
  ATK::transferFrom(helper, victim, 971149100000000000000)

The exploit transaction then demonstrates the actual breakpoint. Before the flashswap, the pair holds 130940661487811253145462 USDT. The helper borrows 130938042674581496920399 USDT, leaving only 2618813229756225063 USDT in the pair while claimToken1() executes:

BEP20USDT::balanceOf(pair) -> 130940661487811253145462
PancakePair::swap(130938042674581496920399, 0, helper, 0x00)
  helper::pancakeCall(...)
    victim::claimToken1()
      ATK::balanceOf(pair) -> 1293850648377557811245887
      BEP20USDT::balanceOf(pair) -> 2618813229756225063
      ATK::transfer(helper, 50591735557324800000000000)
      ATK::transfer(0x94Cb62d79527211763239686E447Ac18A85B9993, 474297520849920000000000)

The balance-diff artifact for the same transaction confirms that the victim lost 51066033078174720000000000 ATK overall, of which 50591735557324800000000000 ATK went to the attacker helper and 474297520849920000000000 ATK went to the referral recipient. This is the decisive state transition: the claim path trusted a price input that the claimant controlled inside the same transaction.

After the claim, the attacker immediately monetized the oversized reward. In tx 0x601b8ab0c1d51e71796a0df5453ca671ae23de3d5ec9ffd87b9c378504f99c32, the helper routed 50591832959709107223228763 ATK into PancakeRouter, which sold the position against the same pair and transferred 127677363775463262166716 USDT to the attacker EOA:

PancakeRouter::swapExactTokensForTokensSupportingFeeOnTransferTokens(
  50591832959709107223228763,
  0,
  [ATK, USDT],
  0x3DF6cd58716d22855aFb3B828F82F10708AfbB4f,
  1665551099
)
PancakePair::swap(127677363775463262166716, 0, attacker, 0x)
  BEP20USDT::transfer(attacker, 127677363775463262166716)

5. Adversary Flow Analysis

1. Tx 0xb181e88e6b37ee9986f2a57aefb94779402fdb928654aa7c1dda5138b90d0e14: attacker EOA 0x3df6cd58716d22855afb3b828f82f10708afbb4f deployed helper 0xd7ba198ce82f4c46ad8f6148ccfdb41866750231, configured approvals, and registered inviter 0x41bdf5139b13c2bd6f9ed00b835848d3a83ada3b.
2. Tx 0x9e328f77809ea3c01833ec7ed8928edb4f5798c96f302b54fc640a22b3dd1a52: the helper created the claim-eligible position by calling depoit(100,1) and transferring 971.1491 ATK to the reward contract.
3. Tx 0x55983d8701e40353fee90803688170a16424ee702f6b21bb198bb8e7282112cd: the helper flash-borrowed almost all pair USDT, called claimToken1() while the pair reserve was manipulated, received 50591735557324800000000000 ATK, and repaid the flashswap.
4. Tx 0x601b8ab0c1d51e71796a0df5453ca671ae23de3d5ec9ffd87b9c378504f99c32: the helper sold the claimed ATK through PancakeRouter, and the attacker EOA received 127677363775463262166716 USDT.

This sequence is ACT-complete: all contracts involved are public, the attacker uses only fresh unprivileged addresses, and the exploit depends only on public pair liquidity and same-transaction reserve manipulation.

6. Impact & Losses

The realized extracted value was 127677363775463262166716 smallest-unit USDT, which is 127677.363775463262166716 USDT on BNB Smart Chain. The reward contract also emitted 50591735557324800000000000 ATK to the helper during the manipulated claim, plus a referral-side ATK transfer. The direct victim component is reward contract 0x96bf2e6cc029363b57ffa5984b943f825d333614, while the economic damage was realized through the ATK/USDT market when the attacker dumped the over-issued ATK.

7. References

• Flash-priced claim trace: tx 0x55983d8701e40353fee90803688170a16424ee702f6b21bb198bb8e7282112cd
• Monetization trace: tx 0x601b8ab0c1d51e71796a0df5453ca671ae23de3d5ec9ffd87b9c378504f99c32
• Qualifying deposit trace: tx 0x9e328f77809ea3c01833ec7ed8928edb4f5798c96f302b54fc640a22b3dd1a52
• Seed metadata index covering all four relevant transactions
• Balance-diff artifacts for the exploit and monetization transactions