Calculated from recorded token losses using historical USD prices at the incident time.
0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f70x9a1aef8c9ada4224ad774afdac07c24955c92a54BSC0x6a8c4448763c08adeb80adebf7a29b9477fa0628BSCOn BNB Chain block 27960446, transaction 0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7 let an unprivileged adversary extract 90488670389646322334139 USDT from Pancake pair 0x6a8c4448763c08adeb80adebf7a29b9477fa0628. The attacker EOA 0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b deployed helper contract 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, minted arbitrary cERC20 from 0x9a1aef8c9ada4224ad774afdac07c24955c92a54, and sold the freshly minted inventory through PancakeRouter.
The root cause is a direct access-control failure in cERC20. Its public mint(address,uint256,string) function has no ownership, role, signature, or nonce-consumption check, so any caller can create arbitrary supply and dump it into a liquid venue. The attack is deterministic and ACT-valid because it requires only public contracts, public state, and an unprivileged EOA.
The relevant market is a PancakeSwap V2-style pair between USDT 0x55d398326f99059ff775485246999027b3197955 and cERC20 0x9a1aef8c9ada4224ad774afdac07c24955c92a54. Pancake pairs price swaps from their live token balances. If one side of the pool can be minted by anyone, the paired reserve ceases to be protected by scarcity.
The attacker used PancakeRouter 0x10ED43C718714eb63d5aA57B78B54704E256024E only as a routing surface. The actual vulnerability is entirely inside cERC20. The updated auditor evidence also confirms that pair is a verified PancakePair whose is USDT, is cERC20, and is PancakeFactory .
0x6a8c4448763c08adeb80adebf7a29b9477fa0628token0token1factory0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73The relevant pre-state sigma_B is the BNB Chain state immediately before the seed transaction in block 27960446, including the six earlier transactions in that block. In that state, the pair already held deep USDT liquidity and an existing cERC20 reserve, making the drain possible as soon as arbitrary cERC20 minting was exercised.
This incident is an ATTACK, not an MEV-only liquidation or an accounting edge case. The broken security property is straightforward: only an authorized issuer should be able to increase cERC20 total supply. Instead, the token exposes a public mint path that any caller can use.
The code-level breakpoint is in the verified cERC20 source:
function mint(
address account,
uint256 amount,
string memory txId
) public returns (bool) {
_mint(account, amount);
emit Minted(account, amount, txId);
return true;
}
function _mint(address account, uint256 amount) internal {
require(account != address(0), "ERC20: mint to the zero address");
_totalSupply = _totalSupply.add(amount);
_balances[account] = _balances[account].add(amount);
emit Transfer(address(0), account, amount);
}
This function contains no authorization check of any kind. There is no owner gate, role gate, signature validation, or one-time txId consumption. That means the attacker did not need privileged access, leaked keys, or a custom off-chain dependency. The only requirement was the existence of a liquid market willing to accept cERC20 as input, which the Pancake pair already provided.
The exploit path is a single transaction and fully observable on-chain.
First, the attacker EOA deployed helper contract 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238. The helper exists only to batch the public calls into one constructor execution. Nothing about the helper is privileged; any unprivileged user could deploy an equivalent contract or call the same functions directly.
Second, the helper called cERC20 mint(address,uint256,string) and minted 146965900202189951396348800 cERC20 for itself. The seed execution trace shows the mint succeeding immediately and increasing supply with no access-control barrier:
cERC20::mint(0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, 146965900202189951396348800, "")
emit Transfer(from: 0x0000000000000000000000000000000000000000, to: 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, value: 146965900202189951396348800)
emit Minted(account: 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238, amount: 146965900202189951396348800, txId: "")
Third, the helper approved PancakeRouter and sold the newly minted cERC20 into the cERC20/USDT pair. The same trace shows the router transferring the minted cERC20 into the pair and executing the swap:
PancakeRouter::swapExactTokensForTokensSupportingFeeOnTransferTokens(
146965900202189951396348800,
0,
[cERC20, USDT],
0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b,
1683338179
)
...
PancakePair::swap(90488670389646322334139, 0, 0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b, 0x)
Because the pair only enforces AMM reserve math against token balances, it treated the attacker-minted cERC20 as valid inventory and released real USDT. The balance diff for the seed transaction shows the exact economic consequence:
{
"pair_usdt_before": "92302979570391110751867",
"pair_usdt_after": "1814309180744788417728",
"pair_usdt_delta": "-90488670389646322334139",
"attacker_usdt_before": "0",
"attacker_usdt_after": "90488670389646322334139",
"attacker_usdt_delta": "90488670389646322334139"
}
The non-monetary exploit predicate also holds: the pair ended with materially less USDT than it held in sigma_B because arbitrary cERC20 was sold against it. The monetary predicate holds as well. Auditor profit valuation using PancakeRouter getAmountsOut at block 27960446 values the stolen USDT at 275874690371789281456 wei WBNB-equivalent, against only 4567260000000000 wei BNB spent on gas, for a net gain of 275870123111789281456 wei WBNB-equivalent.
The adversary flow has three concrete stages.
Helper deployment.
EOA 0x9bf2c7c21f3c488a1855dcd49158841c23e5c35b submitted the seed transaction and deployed helper 0x4985DB6Fa42F6a30Ea7D20CB19591A0552C67238. The helper stored the victim token, Pancake pair, PancakeRouter, and USDT addresses.
Unauthorized mint.
The helper called cERC20.mint(account, amount, txId) and increased total supply by 146965900202189951396348800 for itself. This is the invariant break: a supply-changing function that should be privileged is callable by anyone.
Reserve-draining swap.
The helper approved PancakeRouter and sold all minted cERC20 into pair 0x6a8c4448763c08adeb80adebf7a29b9477fa0628. The pair transferred 90488670389646322334139 USDT to the attacker EOA and ended with only 1814309180744788417728 USDT remaining. The observed gas cost was 4567260000000000 wei BNB.
The ACT framing is satisfied because the transaction sequence is reproducible from public information alone:
No private key compromise, whitelist bypass, or attacker-specific artifact is needed.
The direct measurable loss is:
90488670389646322334139 smallest units (decimal = 18)Economically, the cERC20/USDT Pancake pair was drained of nearly all of its USDT reserve and left holding mostly attacker-created cERC20. The parties that bore the loss are the liquidity providers or other economic stakeholders exposed to that pair.
0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7/workspace/session/artifacts/collector/seed/56/0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7/trace.cast.log/workspace/session/artifacts/collector/seed/56/0x3f1973fe56de5ecd59a815d3b14741cf48385903b0ccfe248f7f10c2765061f7/balance_diff.jsonhttps://bscscan.com/address/0x9a1aef8c9ada4224ad774afdac07c24955c92a54#codehttps://bscscan.com/address/0x6a8c4448763c08adeb80adebf7a29b9477fa0628#code/workspace/session/artifacts/auditor/iter_1/pair_verification.json/workspace/session/artifacts/auditor/iter_0/profit_valuation.json