All incidents
Loading report...
Overview
Code Analysis
Execution Trace
Root Cause Analysis
Rendering incident details
0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a1500x95e92b09b89cf31fa9f1eca4109a85f88eb08531BSC0x0dfb6ac3a8ea88d058be219066931db2bee9a581BSC0xb5252fcef718f8629f81f1dfcff869594ad478c6BSCAt BSC block 49470430, transaction 0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150 used an attacker-owned helper to wrap 0.001 BNB into WBNB, deposit that WBNB into the public Mobius vault, receive 9731099570720980659843835099042677 MBU, and dump a small slice of the inflated MBU into Pancake liquidity for 2157126179348943736411799 raw BSC-USD units. The root cause was a unit-scaling error in deposit(address,uint256) on vault implementation 0x637d8ce897bb653cb83ba436cdf76bbe158f05b1: the mint path multiplied by an extra 1e18 before dividing by the MBU price, so the vault minted 1e18 too much MBU for a normal deposit.
Mobius exposed an upgradeable vault proxy at 0x95e92b09b89cf31fa9f1eca4109a85f88eb08531 and an upgradeable token proxy at 0x0dfb6ac3a8ea88d058be219066931db2bee9a581. Historical EIP-1967 slot reads show that at the exploit block the vault proxy delegated to implementation 0x637d8ce897bb653cb83ba436cdf76bbe158f05b1, while the token proxy delegated to 0xb1c4605f08d90a2af06a0f85348d50b499629aa8. The public deposit entrypoint was still reachable then, and a later upgrade only happened at block 49495855, after the exploit window.
The deposit path priced WBNB in USD through 0xb9d3bb65aacd77ba6033f92cef043b979d9c10d4::getBNBPriceInUSDT() and fetched an MBU price through the selector path marked by 0x0769b6f3 in the exploit-block disassembly. MBU was liquid on Pancake through pair 0xb5252fcef718f8629f81f1dfcff869594ad478c6 against BSC-USD 0x55d398326f99059ff775485246999027b3197955, which gave a direct path from over-minted MBU into stablecoin profit.
Historical proxy state at the exploit block
vault proxy 0x95e92b09... @ 49470430 -> 0x637d8ce897bb653cb83ba436cdf76bbe158f05b1
token proxy 0x0dfb6ac3... @ 49470430 -> 0xb1c4605f08d90a2af06a0f85348d50b499629aa8
This was an ATTACK case caused by unit-inconsistent mint accounting in the vault deposit path. The intended invariant was straightforward: for an 18-decimal deposit token and an 18-decimal MBU price feed, a depositor should receive depositAmount * bnbPrice / tokenPrice MBU units, up to truncation. Instead, the exploit-block bytecode inserted an extra 1e18 multiplier after pricing the deposit and before the final division, turning the actual formula into depositAmount * bnbPrice * 1e18 / tokenPrice. Because the deposit amount, BNB price, MBU price, and MBU token all already used 18-decimal scaling, the extra fixed-point factor inflated the mint output by 1e18. That made the public deposit(address,uint256) entrypoint economically unsafe for any caller, not just the historical attacker. The token proxy then accepted the mint call and issued the inflated MBU, so the bug was fully exploitable inside one public transaction.
The exploit trace enters the vault proxy 0x95e92b09b89cf31fa9f1eca4109a85f88eb08531, which delegates into implementation 0x637d8ce897bb653cb83ba436cdf76bbe158f05b1. The deposit path fetches the WBNB/USD price, fetches the token price, transfers the depositor's WBNB into the vault, and then calls the MBU token proxy to mint tokens back to the depositor.
The decisive evidence is the exploit-block disassembly excerpt below. It shows the token-price getter, then PUSH8 0x0de0b6b3a7640000 (1e18), then MUL, and only later the terminal DIV.
Exploit-block vault implementation arithmetic excerpt
00003061: PUSH4 0x0769b6f3
0000306c: STATICCALL
0000307d: PUSH8 0x0de0b6b3a7640000
00003088: MUL
00003097: DIV
That bytecode-level breakpoint matches the arithmetic recovered from traces. The exploit transaction deposited 1000000000000000 wei of WBNB, observed getBNBPriceInUSDT() = 656921601740811896377, observed token price 67507438082060477686, and minted 9731099570720980659843835099042677 MBU. Those values satisfy:
1000000000000000 * 656921601740811896377 * 10^18 / 67507438082060477686
= 9731099570720980659843835099042677.542...
An unrelated public deposit transaction, 0x84674f8b0ac41b8870b79e51abc4ea491ebf97f02f57d45241073d7cac364dee, reaches the same deposit(address,uint256) selector and matches the same formula. That second trace rules out a one-off attacker-side artifact and shows the bug lived in the public protocol logic. The exploit conditions were minimal: an unprivileged user only needed a small WBNB balance, approval for the vault, the still-enabled mint path, and enough Pancake BSC-USD liquidity to dump a small fraction of the over-minted MBU.
The adversary cluster consisted of sender EOA 0xb32a53af96f7735d47f4b76c525bd5eb02b42600 and helper contract 0x631adff068d484ce531fb519cda4042805521641. The seed transaction metadata shows the EOA called its helper with selector 0xcd60b03d, passing the Mobius vault and token proxies as arguments. The helper then wrapped 0.001 BNB into WBNB, approved the vault, and called the public deposit entrypoint on the vault proxy.
Once the deposit executed, the flawed mint formula created 9731099570720980659843835099042677 MBU for the helper. The exploit did not need to sell all of it. The trace shows the helper sold 30000000000000000000000000 MBU through PancakeRouter 0x10ed43c718714eb63d5aa57b78b54704e256024e, which was enough to drain almost the full BSC-USD side of pair 0xb5252fcef718f8629f81f1dfcff869594ad478c6.
Seed exploit flow
EOA 0xb32a53af... -> helper 0x631adff0...
helper -> WBNB deposit() with 0.001 BNB
helper -> vault deposit(address,uint256)
vault -> token mint inflated MBU
helper -> PancakeRouter swapExactTokensForTokensSupportingFeeOnTransferTokens
pair loses 2157126179348943736411799 BSC-USD
EOA gains 2157126179348943736411799 BSC-USD
The helper contract was attacker-owned orchestration, not a privileged protocol component. The root cause remains ACT because the same economic path is reachable by any unprivileged actor without special permissions or attacker-only artifacts.
The immediate measurable loss was the extraction of 2157126179348943736411799 raw BSC-USD units from the public MBU/BSC-USD Pancake pool. The attacker funded only a negligible WBNB deposit and realized protocol-scale stablecoin profit because the protocol minted a fantastically inflated MBU balance relative to deposited value. The affected parties were the liquidity providers or pool inventory backing the MBU/BSC-USD market, and more broadly the Mobius token economics because the protocol allowed impossible MBU issuance through a public path.
0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150494704300x84674f8b0ac41b8870b79e51abc4ea491ebf97f02f57d45241073d7cac364deeaddMinter(address) and upgradeToAndCall(address,bytes) to place the vulnerable implementation in time