Calculated from recorded token losses using historical USD prices at the incident time.
0x85f82230883693f1bbff65be1f7663ee5f0aa5f8BSC0x19b3f588bdc9a6f9ecb8255919b02f9adf053363BSCTLN Protocol was exploited on BSC through a two-transaction, fully permissionless sequence. In transaction 0x8d27f9a15b1834e5f9e55d47ec32d01e7fe54f93cfc6ea9d4e8c5fbe72756897, the adversary prepared the route by turning 2 BNB into a VOW-vUSD LP position and establishing a SmartNode referral chain. In transaction 0x1350cc72865420ba5d3c27234fd4665ad25c021b0a75ba03bc8340a1b1f98a45, the adversary borrowed 19,000,000 USDT from Pancake V3 pool 0x36696169c63e42cd08ce11f5deebbcebae652050, distorted the public VOW-USDT pair 0xc6585bc17b53792f281a9739579dd60535c1f9fb, used that distorted reserve state to over-mint TLN from staking contract 0x85f82230883693f1bbff65be1f7663ee5f0aa5f8, then locked the inflated TLN in TlnSwap 0x19b3f588bdc9a6f9ecb8255919b02f9adf053363 while posting only a tiny amount of VOW collateral.
The root cause is reserve-oracle misuse across two victim components. The staking contract priced TLN issuance from instantaneous VOW-USDT and VOW-vUSD reserves, and TlnSwap priced required VOW collateral from the same manipulable VOW-USDT spot reserves. Because both modules trusted same-transaction AMM reserves, a flash borrower could inflate TLN issuance, borrow vUSD against that inflated TLN, unwind through public pools, repay the flash loan plus fee, and retain 107881749956792323205771 USDT.
Three public protocol components matter for understanding this incident.
First, staking contract 0x85f82230883693f1bbff65be1f7663ee5f0aa5f8 is an unverified contract, but the collected constructor and selector artifacts show it is wired to LP pair 0x72dcf845ae36401e82e681b0e063d0703bac0bba, VOW-USDT pair , TLN token , SmartNode , and helper contract . Those artifacts also expose and , which is the exact surface used during the exploit.
0xc6585bc17b53792f281a9739579dd60535c1f9fb0xf7d142a354322c7560250caa0e2a06c89649e4c20x028c911c10c9e346158206991e02d09bd0a8a35b0x9a9e97a015ca65f48973835b45d4e28a99f89191stake(uint256)lpRate()Second, helper contract 0x9a9e97a015ca65f48973835b45d4e28a99f89191 contributes referral and tier logic to staking. The exploit trace shows those helper branches execute only after the base TLN-per-LP value has already been computed from manipulated reserves. That means helper logic amplifies the outcome but does not create the pricing failure.
Third, verified TlnSwap source shows lock(uint256) computes the required VOW collateral from live VOW-USDT reserves:
function lock(uint256 amount) external {
uint256 lockedVow = _vowToLock(amount);
_vowToken.safeTransferFrom(_msgSender(), address(this), lockedVow);
uint256 borrowAmount = (amount * 1000) / 984;
_vusdToken.safeTransfer(_msgSender(), borrowAmount);
}
function _vowToLock(uint256 amountIn) internal view returns (uint256 vowAmount) {
(uint112 reserveIn, uint112 reserveOut, ) = _vowUsdtPair.getReserves();
vowAmount = _getAmountOut(amountIn / 5, reserveIn, reserveOut);
}
function _getAmountOut(uint256 amountIn, uint256 reserveIn, uint256 reserveOut)
internal
pure
returns (uint amountOut)
{
uint256 rate = reserveIn * 10000 / reserveOut;
amountOut = amountIn * 10000 / rate;
}
Algebraically, _getAmountOut reduces to amountIn * reserveOut / reserveIn. When the attacker first drives USDT reserves up and VOW reserves down in the VOW-USDT pair, the collateral requirement collapses.
The vulnerability is an ATTACK-class oracle misuse, not a private-key compromise and not a privileged-action incident. TLN Protocol allowed two economic-critical calculations to depend on same-transaction AMM spot reserves that an unprivileged flash borrower could move at will.
The first vulnerable step is staking-side reward issuance. The exploit trace shows both stake(1e18) and stake(942253377026177767815) are executed immediately after the attacker distorts the VOW-USDT reserves, and both calls emit the same base reward rate of 15651.36520714870471045 TLN per LP. That shared rate is the key evidence that staking is pricing from the manipulated reserve snapshot rather than from any manipulation-resistant oracle.
The second vulnerable step is TlnSwap collateral pricing. TlnSwap::lock reads the same manipulated VOW-USDT reserves and uses _vowToLock to determine how much VOW the borrower must post. With the reserve ratio already skewed, the contract accepts only 71530270655320077627 VOW while minting 3199510344301177871795565 vUSD against 3199510344301177871795565 TLN.
The broken invariant is straightforward: TLN rewards per LP and VOW collateral requirements for vUSD borrowing must not be functions of a flash-loan-manipulable spot reserve ratio. The code-level breakpoint is the reserve read inside staking lpRate()/stake() and TlnSwap::_vowToLock().
The adversary first created the prerequisite LP and referral state in transaction 0x8d27...6897. The seed trace shows the attacker converted 2 BNB into VOW and vUSD, added liquidity to the VOW-vUSD pair, deployed helper 0x63290c69fa3b463bd224da847aa32317dbf5d0cf, and used public SmartNode::join(address) calls so the helper joined first and the attacker joined under that helper.
The decisive exploit happened in transaction 0x1350...8a45. The trace shows Pancake V3 flash pool 0x3669...2050 lending 19000000000000000000000000 USDT, after which the attacker pushed that USDT through the public VOW-USDT pair. Immediately after the manipulation, the trace records the pair reserves at roughly 19168714539174243098608055 USDT and 2142739331740252639958 VOW. That reserve state is the input consumed by both victim components.
The staking leg came next. The exploit trace records the helper staking 1e18 LP and then the attacker staking 942253377026177767815 LP, with both stakes emitting the same base TLN-per-LP value:
emit Stake(param0: 0x63290C69Fa3B463bd224Da847aA32317dBf5d0cF, param1: 1000000000000000000, param2: 15651365207148704710450)
That base rate is reserve-derived. The helper contract then applies deterministic bonus logic, but the underlying pricing error has already occurred. The attacker cluster accumulates enough TLN to continue the exploit path.
The TlnSwap leg is the realization step. The same exploit trace shows:
0x19B3F588BdC9a6f9ecb8255919B02F9ADF053363::lock(3199510344301177871795565)
...
Transfer(from: attacker, to: 0x19B3..., value: 71530270655320077627)
...
Transfer(from: 0x19B3..., to: attacker, value: 3199510344301177871795565)
emit Lock(param0: attacker, param1: 7423, param2: 3199510344301177871795565, param3: 71530270655320077627)
The verified TlnSwap source explains why this happens: _vowToLock reads live pair reserves and computes collateral directly from the reserve ratio. Because the attacker already forced reserveOut / reserveIn to be extremely small, the contract undercharges VOW collateral.
The unwind is then fully public and deterministic. The attacker sells the borrowed vUSD back into the VOW-vUSD pair, sells 800000000000000000000000 VOW back into the manipulated VOW-USDT pair, repays the flash loan plus the 9500000000000000000000 USDT fee, and retains the remainder.
The balance-diff artifact confirms the monetary result:
{
"token": "0x55d398326f99059ff775485246999027b3197955",
"holder": "0xbdfbb387fbf20379c016998ac609871c3357d749",
"before": "0",
"after": "107881749956792323205771",
"delta": "107881749956792323205771"
}
The adversary cluster consists of EOA 0x6951eb8a4a1dab360f2230fb654551335d560ec0, flash-loan executor 0xbdfbb387fbf20379c016998ac609871c3357d749, and helper 0x63290c69fa3b463bd224da847aa32317dbf5d0cf. Collected metadata shows the attacker contract was created by that EOA, and the disassembly ties it to the flash pool, staking contract, TlnSwap, and token addresses used on-chain.
The flow is:
Preparation tx:
1. Swap 2 BNB into VOW and vUSD.
2. Add VOW-vUSD liquidity.
3. Deploy helper contract.
4. Join SmartNode with helper first, attacker second.
Exploit tx:
1. Flash-borrow 19,000,000 USDT.
2. Swap USDT -> VOW in the VOW-USDT pair to skew reserves.
3. Stake helper LP and attacker LP while reserves are skewed.
4. Pull helper TLN back to attacker.
5. Lock inflated TLN in TlnSwap and pay only small VOW collateral.
6. Swap borrowed vUSD back into VOW.
7. Sell part of the VOW into USDT.
8. Repay flash loan plus fee.
9. Keep residual USDT profit.
Every step uses deployed public contracts and normal approvals or callbacks. No privileged role, off-chain secret, or attacker-side artifact is required beyond a fresh helper/executor contract and temporary capital from a public flash pool.
The direct realized attacker profit is 107881749956792323205771 USDT units, encoded at 18 decimals. The VOW-USDT pair itself loses 117381749956792323205771 USDT units over the exploit transaction, while TLN Protocol components issue TLN and vUSD against manipulated prices rather than fair collateral values.
The affected victim surface is TLN Protocol’s staking contract 0x85f82230883693f1bbff65be1f7663ee5f0aa5f8 and TlnSwap 0x19b3f588bdc9a6f9ecb8255919b02f9adf053363. The exploit is ACT because any unprivileged actor could reproduce the same reserve manipulation and victim-call sequence against the same public contracts from the same pre-state.
0x8d27f9a15b1834e5f9e55d47ec32d01e7fe54f93cfc6ea9d4e8c5fbe72756897 with trace and balance diff in the seed artifacts.0x1350cc72865420ba5d3c27234fd4665ad25c021b0a75ba03bc8340a1b1f98a45 with trace and balance diff in the seed artifacts.0x85f82230883693f1bbff65be1f7663ee5f0aa5f8.0x9a9e97a015ca65f48973835b45d4e28a99f89191.0xbdfbb387fbf20379c016998ac609871c3357d749.TlnSwap 0x19b3f588bdc9a6f9ecb8255919b02f9adf053363, specifically lock(uint256), _vowToLock(uint256), and _getAmountOut(uint256,uint256,uint256).