Clara
All incidents

Public Mint Drains USDT Pair

Share
May 06, 2023 01:56 UTCAttackLoss: 90,488.67 USDTPending manual check1 exploit txWindow: Atomic
Estimated Impact
90,488.67 USDT
Label
Attack
Exploit Tx
1
Addresses
2
Attack Window
Atomic
May 06, 2023 01:56 UTC → May 06, 2023 01:56 UTC

Exploit Transactions

TX 1BSC
0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7
May 06, 2023 01:56 UTCExplorer

Victim Addresses

0x9a1aef8c9ada4224ad774afdac07c24955c92a54BSC
0x6a8c4448763c08adeb80adebf7a29b9477fa0628BSC

Loss Breakdown

90,488.67USDT

Similar Incidents

Public mint flaw drains USDT from c3b1 token pool

46%
Nov 24, 2024 04:38 UTC·31,538.62 USDT

AI IPC destroy-sync mechanism drains IPC-USDT pair USDT reserves

43%
Jan 07, 2025 15:52 UTC·591,934,203.95 USDT

MetaverseToken fee misconfiguration drains USDT from Pancake pair

42%
Jan 12, 2026 08:05 UTC·36,995.24 USDT

CS Pair Balance Burn Drain

39%
May 23, 2023 16:43 UTC·954,285 USDT

Marketplace proxy 0x9b3e9b92 bug drains USDT and mints rewards

39%
Nov 24, 2024 16:15 UTC·8,484.92 USDT +1 more

SellToken Arbitrary-Pair LP Drain

37%
May 10, 2023 16:16 UTC·58,060,083.58 QiQi +1 more

Root Cause Analysis

Public Mint Drains USDT Pair

1. Incident Overview TL;DR

On BNB Chain block 27960446, transaction 0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7 let an unprivileged adversary extract 90488670389646322334139 USDT from Pancake pair 0x6a8c4448763c08adeb80adebf7a29b9477fa0628. The attacker EOA 0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b deployed helper contract 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, minted arbitrary cERC20 from 0x9a1aef8c9ada4224ad774afdac07c24955c92a54, and sold the freshly minted inventory through PancakeRouter.

The root cause is a direct access-control failure in cERC20. Its public mint(address,uint256,string) function has no ownership, role, signature, or nonce-consumption check, so any caller can create arbitrary supply and dump it into a liquid venue. The attack is deterministic and ACT-valid because it requires only public contracts, public state, and an unprivileged EOA.

2. Key Background

The relevant market is a PancakeSwap V2-style pair between USDT 0x55d398326f99059ff775485246999027b3197955 and cERC20 0x9a1aef8c9ada4224ad774afdac07c24955c92a54. Pancake pairs price swaps from their live token balances. If one side of the pool can be minted by anyone, the paired reserve ceases to be protected by scarcity.

The attacker used PancakeRouter 0x10ED43C718714eb63d5aA57B78B54704E256024E only as a routing surface. The actual vulnerability is entirely inside cERC20. The updated auditor evidence also confirms that pair 0x6a8c4448763c08adeb80adebf7a29b9477fa0628 is a verified PancakePair whose token0 is USDT, token1 is cERC20, and factory is PancakeFactory 0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73.

The relevant pre-state sigma_B is the BNB Chain state immediately before the seed transaction in block 27960446, including the six earlier transactions in that block. In that state, the pair already held deep USDT liquidity and an existing cERC20 reserve, making the drain possible as soon as arbitrary cERC20 minting was exercised.

3. Vulnerability Analysis & Root Cause Summary

This incident is an ATTACK, not an MEV-only liquidation or an accounting edge case. The broken security property is straightforward: only an authorized issuer should be able to increase cERC20 total supply. Instead, the token exposes a public mint path that any caller can use.

The code-level breakpoint is in the verified cERC20 source:

function mint(
    address account,
    uint256 amount,
    string memory txId
) public returns (bool) {
    _mint(account, amount);
    emit Minted(account, amount, txId);
    return true;
}

function _mint(address account, uint256 amount) internal {
    require(account != address(0), "ERC20: mint to the zero address");
    _totalSupply = _totalSupply.add(amount);
    _balances[account] = _balances[account].add(amount);
    emit Transfer(address(0), account, amount);
}

This function contains no authorization check of any kind. There is no owner gate, role gate, signature validation, or one-time txId consumption. That means the attacker did not need privileged access, leaked keys, or a custom off-chain dependency. The only requirement was the existence of a liquid market willing to accept cERC20 as input, which the Pancake pair already provided.

4. Detailed Root Cause Analysis

The exploit path is a single transaction and fully observable on-chain.

First, the attacker EOA deployed helper contract 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238. The helper exists only to batch the public calls into one constructor execution. Nothing about the helper is privileged; any unprivileged user could deploy an equivalent contract or call the same functions directly.

Second, the helper called cERC20 mint(address,uint256,string) and minted 146965900202189951396348800 cERC20 for itself. The seed execution trace shows the mint succeeding immediately and increasing supply with no access-control barrier:

cERC20::mint(0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, 146965900202189951396348800, "")
  emit Transfer(from: 0x0000000000000000000000000000000000000000, to: 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, value: 146965900202189951396348800)
  emit Minted(account: 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, amount: 146965900202189951396348800, txId: "")

Third, the helper approved PancakeRouter and sold the newly minted cERC20 into the cERC20/USDT pair. The same trace shows the router transferring the minted cERC20 into the pair and executing the swap:

PancakeRouter::swapExactTokensForTokensSupportingFeeOnTransferTokens(
  146965900202189951396348800,
  0,
  [cERC20, USDT],
  0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b,
  1683338179
)
...
PancakePair::swap(90488670389646322334139, 0, 0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b, 0x)

Because the pair only enforces AMM reserve math against token balances, it treated the attacker-minted cERC20 as valid inventory and released real USDT. The balance diff for the seed transaction shows the exact economic consequence:

{
  "pair_usdt_before": "92302979570391110751867",
  "pair_usdt_after": "1814309180744788417728",
  "pair_usdt_delta": "-90488670389646322334139",
  "attacker_usdt_before": "0",
  "attacker_usdt_after": "90488670389646322334139",
  "attacker_usdt_delta": "90488670389646322334139"
}

The non-monetary exploit predicate also holds: the pair ended with materially less USDT than it held in sigma_B because arbitrary cERC20 was sold against it. The monetary predicate holds as well. Auditor profit valuation using PancakeRouter getAmountsOut at block 27960446 values the stolen USDT at 275874690371789281456 wei WBNB-equivalent, against only 4567260000000000 wei BNB spent on gas, for a net gain of 275870123111789281456 wei WBNB-equivalent.

5. Adversary Flow Analysis

The adversary flow has three concrete stages.

Helper deployment.
EOA 0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b submitted the seed transaction and deployed helper 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238. The helper stored the victim token, Pancake pair, PancakeRouter, and USDT addresses.

Unauthorized mint.
The helper called cERC20.mint(account, amount, txId) and increased total supply by 146965900202189951396348800 for itself. This is the invariant break: a supply-changing function that should be privileged is callable by anyone.

Reserve-draining swap.
The helper approved PancakeRouter and sold all minted cERC20 into pair 0x6a8c4448763c08adeb80adebf7a29b9477fa0628. The pair transferred 90488670389646322334139 USDT to the attacker EOA and ended with only 1814309180744788417728 USDT remaining. The observed gas cost was 4567260000000000 wei BNB.

The ACT framing is satisfied because the transaction sequence is reproducible from public information alone:

  1. Observe the public cERC20 contract and its unrestricted mint.
  2. Observe the public Pancake pair reserve and router path.
  3. Mint arbitrary cERC20 from a fresh attacker identity.
  4. Swap the minted cERC20 into USDT and realize profit.

No private key compromise, whitelist bypass, or attacker-specific artifact is needed.

6. Impact & Losses

The direct measurable loss is:

  • USDT: 90488670389646322334139 smallest units (decimal = 18)

Economically, the cERC20/USDT Pancake pair was drained of nearly all of its USDT reserve and left holding mostly attacker-created cERC20. The parties that bore the loss are the liquidity providers or other economic stakeholders exposed to that pair.

7. References

  1. Seed transaction: 0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7
  2. Seed execution trace: /workspace/session/artifacts/collector/seed/56/0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7/trace.cast.log
  3. Seed balance diff: /workspace/session/artifacts/collector/seed/56/0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7/balance_diff.json
  4. Verified cERC20 source: https://bscscan.com/address/0x9a1aef8c9ada4224ad774afdac07c24955c92a54#code
  5. Verified Pancake pair source: https://bscscan.com/address/0x6a8c4448763c08adeb80adebf7a29b9477fa0628#code
  6. Pair verification artifact: /workspace/session/artifacts/auditor/iter_1/pair_verification.json
  7. Profit valuation artifact: /workspace/session/artifacts/auditor/iter_0/profit_valuation.json