We do not have a reliable USD price for the recorded assets yet.
0x26081ccd74296e45ccfb6031cea37a162748e0b81a110f9e657b155ee23f79da0x491a70122412faebb97ae0cd75c0c2869ae65179BSC0x0ce444e745591f3d5df5148a1257936918668605BSC0xd109a84a1afec068e70cdb11a75e14a856a96f3fBSCOn BSC block 85402544, transaction 0x26081ccd74296e45ccfb6031cea37a162748e0b81a110f9e657b155ee23f79da let an unprivileged attacker use public capital sources, become the dominant same-transaction LEDS LP participant, call a public maintenance function, and extract value from the LEDS/WBNB Pancake pair plus the reward distributor in one atomic sequence. The final profit was 104.559510523728084109 BNB net of gas, with 104.561194082248581109 WBNB transferred from the attacker contract to the attacker EOA and 0.001683558520497 BNB spent on gas.
The root cause is two coupled protocol flaws. First, triggerDailyBurnAndMint() treated the Pancake pair's LEDS inventory as if it were contract-controlled inventory and directly moved 42,843,938.952549040179638002 LEDS out of the pair through the token's internal balance-mutation helper. Second, the reward system made fresh LP positions immediately eligible and valued them with current helper prices inside the same transaction, so the attacker could flash-fund LP exposure, trigger the daily distribution, claim reward output, unwind, and keep the spread.
LEDS used three protocol-side proxies that matter for this incident:
0x491a70122412faebb97ae0cd75c0c2869ae65179: LEDS token proxy.0x0ce444e745591f3d5df5148a1257936918668605: LEDS reward proxy.0xd109a84a1afec068e70cdb11a75e14a856a96f3f: LEDS/WBNB Pancake pair.The unverified implementations active at the incident block were:
0xfb625061902643b0da1d2cb8461cfb3db3b7a48f: LEDS token logic.0x8e9266aece0f5deab4b2696b5933634b6b19d84c: reward logic.0x2534bed8409f0ef9d9769c447f39478ecf19c4d4: helper logic for price and snapshot values.The LEDS token exposed triggerDailyBurnAndMint() as a public entrypoint (0x1847cc20). The reward contract exposed the LP recorder selector 0xad5b80ae, claimLPReward(address) (0xde1b1942), and sendReward(uint256) (0xc78b6dea). The helper contract exposed the current-price selector 0x9aa5e581, getSnapshotPrice() (0x4a345a15), and getBnbPrice() (0x08760b0d).
Three preconditions made the exploit realizable:
triggerDailyBurnAndMint() was callable.This was an ATTACK-class ACT incident. The core invariant that failed was that AMM reserves should only move through pair-authorized mechanics or user-initiated token transfers, while LP reward eligibility should only accrue to economically committed positions rather than same-transaction ephemeral positions. LEDS violated the first half of that invariant by computing a deflation amount from the pair's LEDS balance and then debiting that balance internally as though the pair had consented to the transfer. It violated the second half by recording LP entries immediately during deposits and later pricing those entries with live helper prices when rewards were sent.
The two flaws compounded. The public daily trigger pulled 2.4% of pair inventory into the token contract, burned half, and sent half to the reward distributor. The distributor then rewarded the attacker contract that had just manufactured dominant LP participation in the same transaction. Because the entire path depended only on public BSC interfaces, the opportunity was permissionless and repeatable by any sufficiently funded adversary once the timing gate opened.
The seed transaction trace shows that the adversary contract 0xe941c0dd2196aa6806735a1d1668bdd15a896602 stacked capital with public venues before touching LEDS. One critical leg was a Venus borrow of 145000000000000000000000 wei from VBNB, which the trace records as:
VBNB::borrow(145000000000000000000000)
emit Borrow(borrower: 0xe941..., borrowAmount: 145000000000000000000000)
WBNB::deposit{value: 145000000000000000000000}()
The attack then repeatedly qualified for LEDS rewards inside the same transaction. The seed trace contains a long run of 0xad5b80ae calls into the reward proxy, each triggered by the attacker's repeated LP activity. Those calls prove that fresh LP state was being appended or refreshed immediately, before the later reward claim.
The token implementation disassembly shows why the public daily trigger was unsafe. Around the triggerDailyBurnAndMint() path, the implementation reads a helper-derived daily factor, reads the pair balance, computes the amount to remove, and jumps into the internal transfer helper with from = pair and to = address(this):
001c0d PUSH2 3751 ; helper for the daily factor
001c28 PUSH2 25a7 ; helper that reads pair balance
001c31 PUSH2 2710 ; divide by 10000
001c59 PUSH2 1c6c
001c66 ADDRESS ; token contract becomes recipient
001c67 DUP4 ; computed amount
001c68 PUSH2 36f2 ; internal transfer(from=pair,to=token,amount)
001ce9 ADDRESS
001cea PUSH2 dead
001ced DUP4
001cee PUSH2 36f2 ; burn half
001d09 ADDRESS
001d14 DUP4
001d15 PUSH2 36f2 ; send the other half to distributor
The trace confirms the exact result of that code path. Immediately after triggerDailyBurnAndMint() executes, the pair is debited and the extracted tokens are split:
0xFb6250...::triggerDailyBurnAndMint()
emit Transfer(from: PancakePair: [0xD109...], to: ERC1967Proxy: [0x491a...], value: 42843938952549040179638002)
emit Sync(reserve0: 1742320184070327633971945442, reserve1: 218954187445590484808)
emit Transfer(from: ERC1967Proxy: [0x491a...], to: 0x000000000000000000000000000000000000dEaD, value: 21421969476274520089819001)
emit Transfer(from: ERC1967Proxy: [0x491a...], to: ERC1967Proxy: [0x0ce444...], value: 21421969476274520089819001)
0x8e9266...::sendReward(21421969476274520089819001)
Before the trigger, the trace reports the pair reserve as 1785164123022876674151583444 raw LEDS. The extracted amount of 42843938952549040179638002 raw LEDS is exactly 2.4% of that balance, matching the arithmetic described in the root cause analysis.
The reward implementation made the second half of the exploit possible. Its dispatch table contains both 0xad5b80ae and 0xc78b6dea, and the disassembly around the reward path shows current helper prices being queried during reward accounting:
000198 PUSH4 ad5b80ae ; LP recorder selector
000172 PUSH4 c78b6dea ; sendReward selector
001dfa PUSH4 9aa5e581 ; helper current price
001e84 PUSH4 08760b0d ; helper BNB price
001e2a STATICCALL
001ea5 STATICCALL
The seed trace then shows claimLPReward(0xe941...) calling both helper price functions and paying the attacker contract 756605766171005310309504 raw LEDS:
0x8e9266...::claimLPReward(0xe941...)
0x2534be...::9aa5e581()
0x2534be...::getBnbPrice()
0xFb6250...::transfer(0xe941..., 756605766171005310309504)
emit Transfer(from: ERC1967Proxy: [0x0ce444...], to: 0xe941..., value: 756605766171005310309504)
emit LPRewardClaimed(param0: 0xe941..., param1: 756605766171005310309504)
That is the code-level breakpoint: the token contract illegally sources reward funding from the AMM pair, and the reward contract pays same-transaction LP state valued with current helper prices. The exploit does not require privileged keys, attacker-specific allowlists, or private orderflow.
The adversary flow was fully contained inside 0x26081ccd74296e45ccfb6031cea37a162748e0b81a110f9e657b155ee23f79da:
0x1f9b4d11cf1ec19972fdf73f94af22e928f91000 called the attacker contract 0xe941c0dd2196aa6806735a1d1668bdd15a896602.VBNB borrow of 145000 BNB-equivalent, then wrapped the borrowed BNB into WBNB.0xad5b80ae, proving that the reward contract accepted immediate same-transaction LP participation.triggerDailyBurnAndMint().42,843,938.952549040179638002 LEDS out of the pair, burned half, sent half to the reward distributor, and updated the helper's open-price state.claimLPReward(address) and received 756,605.766171005310309504 LEDS from the distributor.104.561194082248581109 WBNB back to the controlling EOA.The seed trace ends with the attacker contract sending the profit home:
WBNB::balanceOf(0xe941...) -> 104561194082248581109
WBNB::transfer(0x1F9B4d11cf1EC19972FdF73f94AF22e928f91000, 104561194082248581109)
Because the attacker helper contract was deployed and controlled by an unprivileged actor and every external dependency was public, the sequence meets the ACT adversary model.
The direct protocol loss was reserve theft from the LEDS/WBNB Pancake pair. The pair lost 42843938952549040179638002 raw LEDS (42,843,938.952549040179638002 LEDS, 18 decimals) in a single public trigger. Half of that amount was burned and half was pushed into the reward system, but both effects came from the same unauthorized debit against pair reserves.
The attacker realized value by capturing 756605766171005310309504 raw LEDS from the reward contract and converting the output into WBNB. The seed balance diff shows the attacker EOA paid 1683558520497000 wei in gas, and the trace shows the EOA ultimately received 104561194082248581109 wei of WBNB. Net of gas, the economic gain was 104.559510523728084109 BNB.
Affected public components were:
0x491a70122412faebb97ae0cd75c0c2869ae651790x0ce444e745591f3d5df5148a12579369186686050xd109a84a1afec068e70cdb11a75e14a856a96f3f0x26081ccd74296e45ccfb6031cea37a162748e0b81a110f9e657b155ee23f79da on BSC block 85402544.0x491a70122412faebb97ae0cd75c0c2869ae65179; implementation: 0xfb625061902643b0da1d2cb8461cfb3db3b7a48f.0x0ce444e745591f3d5df5148a1257936918668605; implementation: 0x8e9266aece0f5deab4b2696b5933634b6b19d84c.0x2534bed8409f0ef9d9769c447f39478ecf19c4d4.0xd109a84a1afec068e70cdb11a75e14a856a96f3f.