3. Vulnerability Analysis & Root Cause Summary

The vulnerable branch is in BFCToken _transfer when to is the BFC/USDT AMM pair. If lastTx != 0, the token first executes super._transfer(address(uniswapV2PairUSDT), DESTROY, lastTx), reduces total supply, and calls IUniswapPair(uniswapV2PairUSDT).sync(). Only after that does it compute the new 2% sell tax for the current transfer and store it back into lastTx.

if (ammPairs[to]) {
    if (lastTx != 0) {
        super._transfer(address(uniswapV2PairUSDT), DESTROY, lastTx);
        _totalSupply = _totalSupply - lastTx;
        IUniswapPair(uniswapV2PairUSDT).sync();
        lastTx = 0;
    }
    uint256 subAmount = amount.div(100).mul(2);
    lastTx = lastTx + subAmount;
}

This breaks the AMM safety invariant that pair reserves should only change through value-conserving pair actions such as swaps, mint, burn, or legitimate liquidity removal. The prior seller never actually pays the stored lastTx during the same sell. Instead, the next seller causes the pair itself to be debited and re-synchronized. Because skim(address) is public, an attacker can feed BFC into the pair, reclaim most of it as excess, and repeatedly force the pair to burn LP-held BFC from the previous deferred tax. The reserve collapse is therefore deterministic and permissionless.

4. Detailed Root Cause Analysis

The exploit starts from the public pre-state before block 31599444, where the BFC/USDT pair still holds substantial BFC and USDT liquidity. The attacker uses a flash borrow of 400000 USDT from the USDT/WBNB pair, buys BFC from the public market, and then enters a transfer/skim loop.

In each loop iteration, the attacker transfers BFC to the BFC/USDT pair. That sell stores a new deferred tax in lastTx. The attacker then calls skim(address) to reclaim excess BFC that now sits above the pair's tracked reserve. On the next transfer into the pair, BFCToken burns the previously stored lastTx from the pair's own balance and calls sync(), lowering the tracked BFC reserve. Because the attacker recovers most of the newly transferred BFC via skim, the attacker does not need to permanently spend the same amount of BFC that the pair loses.

The seed trace shows this pattern directly: repeated PancakePair::skim(...) calls interleaved with repeated PancakePair::sync() calls before the terminal swap. The seed balance diff also shows the end state of the reserve destruction. The BFC/USDT pair's BFCToken balance falls from 22419094799340585333382 to 2587469245664025216121, while its USDT balance falls from 42342665553163949036807 to 171. The dead address receives 3344709912733564822643 BFC, matching the burn path.

Once the tracked BFC reserve is nearly dust, the attacker performs one final BFC sell into the pair. Because the denominator on the BFC side has been collapsed, the swap extracts nearly all remaining USDT. The flash borrow is repaid, residual USDT is converted to native BNB, and the sender EOA finishes with a net gain of 174954934067014145209 wei.

5. Adversary Flow Analysis

The adversary cluster is centered on EOA 0x7cb74265e3e2d2b707122bf45aea66137c6c8891, which sends the exploit transaction and receives the profit. The trace also shows two attacker-controlled helper contracts: 0x9180981034364f683ea25bcce0cff5e03a595bef and the CREATE2-deployed helper 0xa2120a9147a4f6c834fc9b73a5d0ec454e2ae45d.

The on-chain flow is:

1. 0x16b9...daE::swap(400000 USDT, 0, helper, data) provides flash liquidity.
2. The helper buys BFC through the Pancake router.
3. The helper repeatedly transfers BFC to 0x71e1...c05 and calls skim(address(this)), causing the next transfer to burn the prior lastTx from the pair and forcing sync().
4. After the tracked BFC reserve is nearly zero, the helper sells retained BFC back into the pair and drains USDT down to 171 raw units.
5. The helper repays 401203.610832497492477433 USDT to the flash-loan pair, swaps remaining USDT to BNB, and exits profit to the attacker EOA.

Representative trace evidence:

0x16b9...daE::swap(400000000000000000000000, 0, 0xa212...45d, ...)
PancakePair::skim(0xa212...45d)
PancakePair::sync()
... repeated reserve-collapse loop ...
PancakePair::swap(440287233893506239553239, 0, 0xa212...45d, 0x)
PancakeRouter::swapExactTokensForETH(..., 0x7cb7...8891, ...)

6. Impact & Losses

The public BFC/USDT pool lost 42342665553163949036636 raw USDT units in the incident transaction, leaving only 171 raw units in the pair. LP holders also lost BFC-side inventory because BFCToken burned pair-held BFC during the loop and synchronized the lower balance into reserves. The measurable attacker profit was 174.954934067014145209 BNB net of gas.

7. References

1. Seed transaction: 0x8ee76291c1b46d267431d2a528fa7f3ea7035629500bba4f87a69b88fcaf6e23
2. BFCToken verified source: /workspace/session/artifacts/collector/seed/56/0x595eac4a0ce9b7175a99094680fbe55a774b5464/src/Contract.sol
3. Seed trace: /workspace/session/artifacts/collector/seed/56/0x8ee76291c1b46d267431d2a528fa7f3ea7035629500bba4f87a69b88fcaf6e23/trace.cast.log
4. Seed metadata and receipt: /workspace/session/artifacts/collector/seed/56/0x8ee76291c1b46d267431d2a528fa7f3ea7035629500bba4f87a69b88fcaf6e23/metadata.json
5. Seed balance diff: /workspace/session/artifacts/collector/seed/56/0x8ee76291c1b46d267431d2a528fa7f3ea7035629500bba4f87a69b88fcaf6e23/balance_diff.json