Clara
All incidents

HedgePay Staking Proxy Repeated forceExit Withdrawal Drain

Share
Feb 25, 2026 10:50 UTCAttackLoss: 57,525,318.05 HPAYManually checked1 exploit txWindow: Atomic
Estimated Impact
57,525,318.05 HPAY
Label
Attack
Exploit Tx
1
Addresses
2
Attack Window
Atomic
Feb 25, 2026 10:50 UTC → Feb 25, 2026 10:50 UTC

Exploit Transactions

TX 1BSC
0x5f2ea6cb43d14986188fa2f474d9e22502fa95cc76cab72cd6ba1ba146ed137f
Feb 25, 2026 10:50 UTCExplorer

Victim Addresses

0x6e30c17d2554dca5a1ac178939764c6bf61ab95aBSC
0xc75aa1fa199eac5adabc832ea4522cff6dfd521aBSC

Loss Breakdown

57,525,318.05HPAY

Similar Incidents

BSC staking pool reentrancy drain

36%
Feb 22, 2025 15:44 UTC·10.2 BNB

Mosca double-withdrawal exploit via helper on BNB

34%
Jan 06, 2025 05:19 UTC·11,366.12 USDC +1 more

OLY staking/router reward-abuse drains BEP20USDT from staking flows

33%
Jan 04, 2026 21:46 UTC·179,644.56 USDT

Marketplace proxy 0x9b3e9b92 bug drains USDT and mints rewards

33%
Nov 24, 2024 16:15 UTC·8,484.92 USDT +1 more

NeverFallToken LP Drain

32%
May 02, 2023 16:45 UTC·383,353.99 USDT +1 more

CS Pair Balance Burn Drain

32%
May 23, 2023 16:43 UTC·954,285 USDT

Root Cause Analysis

HedgePay Staking Proxy Repeated forceExit Withdrawal Drain

1. Incident Overview TL;DR

On BSC block 83268463, transaction 0x5f2ea6cb43d14986188fa2f474d9e22502fa95cc76cab72cd6ba1ba146ed137f exploited HedgePay staking proxy 0x6e30c17d2554dca5a1ac178939764c6bf61ab95a. The adversary flash-borrowed HPAY, staked once, then invoked forceExit() 50 times via proxy fallback/delegatecall, repeatedly withdrawing the same principal-sized amount (1173986082679038090893617 HPAY each call). The drained HPAY was swapped through PancakeRouter and converted to BNB; net native gain at the attacker EOA was 26014028087022048755 wei after gas.

Root cause: implementation 0xBe189fe9f84cA531CD979630E1f14757b88dD80d allows repeated forceExit() payouts without consuming the recorded stake position, violating one-time/ bounded-withdrawal accounting.

2. Key Background

  • 0x6e30... is a transparent upgradeable proxy; trace shows delegatecalls into implementation 0xBe189f... for staking functions.
  • HPAY token is 0xc75aa1fa199eac5adabc832ea4522cff6dfd521a; the exploit path relies on real on-chain token transfers and swaps, not local mocks.
  • The exploit is single-transaction and permissionless under normal BSC execution rules: flash borrow from pair 0xf603ae6ef2bf30ec77539279efbe80e3e0e8e233, public proxy calls, public router swaps.

3. Vulnerability Analysis & Root Cause Summary

This is an attack-class accounting flaw in staking exit logic. The vulnerable component is the staking implementation behind proxy 0x6e30..., specifically forceExit() (selector 0x67acc704) executed through delegatecall. Trace evidence shows one stake(...) call and then 50 forceExit() calls, each transferring the same HPAY amount from proxy treasury to attacker executor. The stake state is initialized during stake, but no corresponding state-consumption pattern is observed during repeated exits; instead, withdrawals keep succeeding until pool balance is depleted. This violates the invariant that cumulative exit payout for an account must not exceed recorded principal. Because the function is publicly callable and requires no privileged keys, any unprivileged actor can realize the opportunity when pool liquidity exists.

4. Detailed Root Cause Analysis

The exploit mechanism is fully observable in a single transaction trace:

0xBe189f...::stake(1197944982325549072340425) [delegatecall]   // 1 time
0xBe189f...::forceExit() [delegatecall]                          // 50 times

Trace also shows the stake-position storage write on stake:

@ 0xfa485f000aae286e8df2ef850d48a6ed4147dd9dd894d02c294a211452ed475f:
  0 -> 0x00000000000000000000000000000000000000000000f899e9bea7bd720f5931

Then each forceExit() performs the same payout-sized HPAY transfer:

HedgeToken::transfer(0x0dc0c0e040cadcc3855fa347daa192bc5fc9d6e8,
                     1173986082679038090893617)
emit Transfer(src: 0x6E30..., dst: 0x0dc0..., wad: 1173986082679038090893617)

Observed invariant break:

  • Expected: after full exit, remaining withdrawable principal for the caller should be zero.
  • Actual: 50 successful exits occur after one stake, each paying the same principal-sized amount.

Measured outcome from balance diffs:

  • Victim proxy HPAY delta: -57525318051272866453787233.
  • Attacker EOA native delta: +26014028087022048755 wei (net after gas).

Exploit conditions (ACT-realizable):

  • Attacker can source initial HPAY (flash borrow suffices).
  • Proxy holds enough HPAY balance.
  • forceExit() is publicly reachable and does not enforce one-time principal consumption.

Security principles violated:

  • Withdrawal state must be consumed atomically with value transfer.
  • Exit paths must cap cumulative payouts to recorded stake.
  • Upgradeable staking logic must preserve accounting invariants under repeated calls.

5. Adversary Flow Analysis

Transaction: 0x5f2ea6cb43d14986188fa2f474d9e22502fa95cc76cab72cd6ba1ba146ed137f (BSC 56, block 83268463).

  1. Flash borrow and setup
  • EOA 0x734e1bda62e779878f6c6f9f42d793badf247244 initiates exploit deployment/execution (0xcabba5..., 0x0dc0...).
  • Executor receives HPAY via pair callback path from 0xf603....
  1. Stake once, exit repeatedly
  • Executor stakes 1197944982325549072340425 HPAY via proxy.
  • Executor calls proxy fallback forceExit() 50 times (delegatecall into 0xBe189f...).
  • Each call transfers 1173986082679038090893617 HPAY from proxy to executor.
  1. Unwind and realize profit
  • Executor swaps drained HPAY via router 0x10ed43c718714eb63d5aa57b78b54704e256024e.
  • WBNB unwrap and native transfer send proceeds back to EOA.
  • Trace shows terminal transfer amount 26014224201105944931 wei before fee accounting; net native delta at EOA is 26014028087022048755 wei.

Adversary-related accounts:

  • 0x734e1bda62e779878f6c6f9f42d793badf247244 (EOA sender and profit recipient)
  • 0xcabba5f0d9911d46010d50a0f6d8bafa2b019114 (orchestrator contract)
  • 0x0dc0c0e040cadcc3855fa347daa192bc5fc9d6e8 (primary exploit executor)

6. Impact & Losses

Primary deterministic loss:

  • Token: HPAY (0xc75aa1fa199eac5adabc832ea4522cff6dfd521a)
  • Victim: staking proxy 0x6e30c17d2554dca5a1ac178939764c6bf61ab95a
  • Amount drained: 57525318051272866453787233 HPAY units

Profit realization:

  • Net attacker-native gain at sender EOA: 26014028087022048755 wei BNB (after gas).

7. References

  • Exploit tx: 0x5f2ea6cb43d14986188fa2f474d9e22502fa95cc76cab72cd6ba1ba146ed137f
  • Trace artifact (call flow, delegatecalls, storage/balance transitions): artifacts/collector/seed/56/0x5f2ea6cb43d14986188fa2f474d9e22502fa95cc76cab72cd6ba1ba146ed137f/trace.cast.log
  • Balance diff artifact (native + ERC20 deltas): artifacts/collector/seed/56/0x5f2ea6cb43d14986188fa2f474d9e22502fa95cc76cab72cd6ba1ba146ed137f/balance_diff.json
  • Metadata artifact (tx/block envelope): artifacts/collector/seed/56/0x5f2ea6cb43d14986188fa2f474d9e22502fa95cc76cab72cd6ba1ba146ed137f/metadata.json
  • Root cause source JSON: root_cause.json