Invariant: For the HANA/WETH pair 0xe7b4e528308c84fd6698906b6224615e9e30d236, the constant-product invariant x*y=k with a 0.3% LP fee holds for every swap, and HANA's ERC20 logic preserves total supply while routing a configurable fraction of each taxed transfer into an internal tax balance that can be swapped for ETH and forwarded to _taxWallet via sendETHToFee; these contracts are intended to maintain consistent accounting and AMM pricing under arbitrary user trades. Breakpoint: In block 20827437, the adversary-crafted transaction 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e calls the orchestrator and helper to execute swapExactTokensForTokensSupportingFeeOnTransferTokens from HANA to WETH through the HANA/WETH pair, which in turn triggers HANA.swapTokensForEth and sendETHToFee to swap accumulated HANA tax into WETH and then ETH and send exactly 7.206502753487157557 ETH from HANA to the _taxWallet 0x147c7a8c5d68019495ccb17093cf8c901603efac; this is the first concrete state transition in sequence b that sets up the final WETH.withdraw and ETH distribution yielding a net 0.099442024478767458 ETH profit for the adversary while all contract-level accounting and AMM invariants remain satisfied.

4. Detailed Root Cause Analysis

The incident is a single-transaction MEV arbitrage that leverages HANA's tax-token design rather than a bug. From pre-state c_B, the adversary knows the public HANA/WETH reserves, HANA's tax parameters, and the presence of accumulated HANA tax tokens within the contract. By calling an orchestrator function on 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1, the adversary routes a specific HANA amount from helper 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357 through UniswapV2Router02.swapExactTokensForTokensSupportingFeeOnTransferTokens into the HANA/WETH pair. This trade is structured so that HANA's internal tax accounting accumulates additional HANA in the contract, then invokes swapTokensForEth to sell those HANA tokens for ETH via UniswapV2Router02.swapExactTokensForETHSupportingFeeOnTransferTokens and immediately calls sendETHToFee, which transfers 7.206502753487157557 ETH from HANA to the configured _taxWallet 0x147c7a8c5d68019495ccb17093cf8c901603efac. After this tax-swap, the orchestrator converts WETH back to ETH using WETH.withdraw and sends 0.00412387008942168 ETH to the block producer and 0.108334790875911824 ETH to the EOA 0x7248939f65bdd23aab9eaab1bc4a4f909567486e. Gas usage from the receipt confirms a cost of 0.008892766397143976 ETH, so the EOA's net portfolio gain is 0.099442024478767458 ETH. At every step, HANA's ERC20 transfer and tax logic and the Uniswap V2 pair's x*y=k pricing remain internally consistent; the profit arises from adversarial routing and timing of publicly known tax and AMM mechanics, not from any invariant violation.

Vulnerable Components

• HANA ERC20 tax token contract 0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7, specifically its tax parameters, swapTokensForEth, and sendETHToFee implementation using UniswapV2Router02.swapExactTokensForETHSupportingFeeOnTransferTokens.
• Uniswap V2 HANA/WETH pair 0xe7b4e528308c84fd6698906b6224615e9e30d236, whose public reserves and constant-product pricing enable deterministic MEV opportunities around HANA tax-swap events.
• Adversary-owned orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 and helper 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357, which are used to source HANA, configure router calls, and distribute ETH proceeds but do not introduce any privileged access to HANA or the HANA/WETH pair.

ACT Exploit Conditions

• HANA trading is enabled and the HANA/WETH Uniswap V2 pool 0xe7b4e528308c84fd6698906b6224615e9e30d236 has sufficient liquidity and tax accumulation in HANA's internal balance to support the tax-swap and subsequent arbitrage steps.
• An unprivileged EOA can deploy or reuse orchestrator and helper contracts that call standard Uniswap V2 router functions, HANA, and WETH, and can submit transactions with competitive gas prices to be included in block 20827437 or an equivalent future block.
• The adversary can observe on-chain state (including pool reserves and HANA configuration) and construct calldata so that the HANA0WETH swap plus HANA's swapTokensForEth and sendETHToFee sequence yields a deterministic positive ETH P/L after accounting for gas and explicit builder payment.

Security Principles Violated

• Economic fairness for ordinary traders and tax-wallet recipients interacting with public AMM pools: transparent tax-token and AMM mechanics allow unprivileged searchers to extract deterministic MEV profits by optimally routing and ordering trades without violating any protocol-level safety invariant.

HANA tax token code excerpt (_taxWallet and sendETHToFee)

address payable private _taxWallet;
function sendETHToFee(uint256 amount) private {
    _taxWallet.transfer(amount);
}

Seed transaction trace excerpt: HANA sends ETH to tax wallet

{ "from": "0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7", "to": "0x147c7a8c5d68019495ccb17093cf8c901603efac", "value": "0x6402a4129679f935" }

Balance diffs for key parties in tx 0xe8cee3…0e4e

{"address": "0x7248939f65bdd23aab9eaab1bc4a4f909567486e", "delta_wei": "99442024478767458"}
{"address": "0x95222290dd7278aa3ddd389cc1e1d165cc4bafe5", "delta_wei": "4123870089421680"}
{"address": "0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7", "delta_wei": "-50000000000000000"}
{"address": "0x147c7a8c5d68019495ccb17093cf8c901603efac", "delta_wei": "7206502753487157557"}

5. Adversary Flow Analysis

The adversary runs a reusable MEV strategy from EOA 0x7248939f65bdd23aab9eaab1bc4a4f909567486e through orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 and helper 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357 to route HANA through the HANA/WETH Uniswap V2 pool, trigger HANA's tax-swap and sendETHToFee, withdraw WETH to ETH, and distribute ETH to the builder and the EOA in a single transaction.

Adversary-Related Accounts

Adversary cluster

• Ethereum mainnet (chainid 1): 0x7248939f65bdd23aab9eaab1bc4a4f909567486e — Sender of both orchestrator calls 0xabe686a97d769d15e5586055f73e4b60d84758d3df0608cd6b8892b336a804d0 (block 20827405) and 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e (block 20827437), and direct recipient of the 0.108334790875911824 ETH payout in the incident transaction, as shown in tx.json, receipt.json, txlist_normal.json, and balance_diff.json.
• Ethereum mainnet (chainid 1): 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 — Orchestrator contract called by the EOA in both observed transactions; decompiled code and call traces show it forwarding tokens, interacting with Uniswap V2 router 0x7a250d5630b4cf539739df2c5dacb4c659f2488d, calling WETH.withdraw, and distributing ETH to the builder and the EOA without any privileged access beyond ownership by the MEV searcher.
• Ethereum mainnet (chainid 1): 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357 — Helper contract that receives HANA from orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 and interacts with HANA, the HANA/WETH pair, and the Uniswap V2 router during the incident transaction; runtime bytecode and decompilation confirm it is controlled by the same adversary cluster and provides routing functionality only. Victim candidates
• Ethereum mainnet (chainid 1): 0x147c7a8c5d68019495ccb17093cf8c901603efac — HANA tax wallet (_taxWallet) receiving 7.206502753487157557 ETH via sendETHToFee (is_verified=true)
• Ethereum mainnet (chainid 1): 0xe7b4e528308c84fd6698906b6224615e9e30d236 — HANA/WETH Uniswap V2 liquidity providers at pair 0xe7b4e528308c84fd6698906b6224615e9e30d236 (is_verified=true)

Adversary Lifecycle Stages

• Adversary orchestrator usage before incident block: EOA 0x7248939f65bdd23aab9eaab1bc4a4f909567486e calls orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 with function selector 0x3d35e910 against a different token/pool combination, demonstrating that the orchestrator is an adversary-controlled MEV tool used shortly before the incident block.
  • Tx 0xabe686a97d769d15e5586055f73e4b60d84758d3df0608cd6b8892b336a804d0 on Ethereum mainnet (block 20827405)
  • Evidence: artifacts/root_cause/data_collector/iter_1/address/1/0x7248939f65bdd23aab9eaab1bc4a4f909567486e/txlist_normal.json and orchestrator decompilation in artifacts/root_cause/data_collector/iter_1/contract/1/0xbdb0bc0941ba81672593cd8b3f9281789f2754d1/decompile/0xbdb0bc0941ba81672593cd8b3f9281789f2754d1-decompiled.sol.
• Incident MEV arbitrage and HANA tax-swap execution: The orchestrator and helper route HANA from the helper into the HANA/WETH Uniswap V2 pair via UniswapV2Router02.swapExactTokensForTokensSupportingFeeOnTransferTokens, triggering HANA.swapTokensForEth and sendETHToFee so that HANA sells its accumulated tax balance for ETH and sends exactly 7.206502753487157557 ETH to the tax wallet 0x147c7a8c5d68019495ccb17093cf8c901603efac, then convert WETH back to ETH and distribute 0.00412387008942168 ETH to the block producer and 0.108334790875911824 ETH to the EOA.
  • Tx 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e on Ethereum mainnet (block 20827437)
  • Evidence: QuickNode callTracer and prestateTracer for tx 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e, together with HANA verified source and the Uniswap V2 pair source under artifacts/root_cause/data_collector/iter_1/contract/1.
• Post-trade state and realized MEV profit: After execution, the EOA's ETH balance has increased by 0.099442024478767458 ETH net of gas and explicit builder payment, HANA's balance has decreased by 0.05 ETH, the tax wallet has gained 7.206502753487157557 ETH, and the HANA/WETH pool reserves have shifted in a manner consistent with the executed swaps and Uniswap V2 x*y=k pricing.
  • Tx 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e on Ethereum mainnet (block 20827437)
  • Evidence: artifacts/root_cause/seed/1/0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e/balance_diff.json and the final state entries in debug_trace.prestate_tracer.json.

6. Impact & Losses

• Token: ETH, Amount: 0.099442024478767458 The direct measurable impact of this MEV ACT opportunity is a 0.099442024478767458 ETH profit to the adversary EOA in a single transaction, funded by trading against the HANA/WETH pool and by HANA's tax-swap transferring 7.206502753487157557 ETH to the tax wallet; no protocol invariant or user balance accounting is violated, but HANA traders and liquidity providers are exposed to extractable value whenever similar routing opportunities exist.

7. References

• [1] Seed tx metadata and receipt for 0xe8cee3...0e4e: artifacts/root_cause/data_collector/iter_1/tx/1/0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e
• [2] QuickNode debug traces (callTracer and prestateTracer) for 0xe8cee3...0e4e: artifacts/root_cause/data_collector/iter_1/tx/1/0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e
• [3] HANA verified source and ABI (0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7): artifacts/root_cause/data_collector/iter_1/contract/1/0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7/source/etherscan_getsourcecode.json
• [4] Uniswap V2 HANA/WETH pair source (0xe7b4e528308c84fd6698906b6224615e9e30d236): artifacts/root_cause/data_collector/iter_1/contract/1/0xe7b4e528308c84fd6698906b6224615e9e30d236/source/src/Contract.sol
• [5] Adversary EOA tx history around block 20827437: artifacts/root_cause/data_collector/iter_1/address/1/0x7248939f65bdd23aab9eaab1bc4a4f909567486e/txlist_normal.json