This is a lower bound: only assets with reliable historical USD prices are counted, so the actual loss may be higher.
0x9a8c4c4edb7a76ecfa935780124c409f83a08d15c560bb67302182f8969be20d0x2b45dd1d909c01aad96fa6b67108d691b432f351BSCAn unprivileged adversary on BSC used a flash loan from a Pancake V3 USDT/WBNB pool to manipulate the internal USDT balance of the Smart_Bank contract 0x2b45…f351, then executed a carefully chosen Buy_SBT/Sell_SBT round-trip on its bonding-curve price functions to drain USDT and SBT from the protocol. In a single transaction at block 40378160, the adversary realized approximately 56,450.71 USDT net profit to EOA 0x3026c4…ce32 and extracted 18,700,116 SBT into helper contract 0x88f9e1, while Smart_Bank lost 57,445.21 USDT and 18,700,116 SBT.
Smart_Bank’s SBT/USDT pricing logic relies directly on USDT.balanceOf(this) and SBT.balanceOf(this) and assumes those balances are only changed by its own accounting, but it never defends against arbitrary external transfers; this allows an adversary to first donate USDT to inflate Smart_Bank_USDT_Balance, then combine Buy_SBT and Sell_SBT with specific sizes in a single tx (funded by a flash loan) to extract more USDT than originally supplied while also siphoning SBT from the contract.
Key Smart_Bank pricing helpers (from verified Contract.sol):
function SBT_Price() private view returns(uint256) {return((Smart_Bank_USDT_Balance()*10**18)/(Smart_Bank__SBT_Balance()));}
function SBT_Price_Sell(uint256 Value) private view returns(uint256) {return((Smart_Bank_USDT_Balance()*10**18)/(Value + Smart_Bank__SBT_Balance()));}
function Smart_Bank_USDT_Balance() public view returns(uint256) {return USDT.balanceOf(address(this)) / 10**18;}
function Smart_Bank__SBT_Balance() public view returns(uint256) {return SBT.balanceOf(address(this)) / 10**18;}
The root cause is a bonding-curve/accounting bug in Smart_Bank’s USDT/SBT pricing logic: SBT_Price() and SBT_Price_Sell(Value) are based solely on raw ERC20 balances, so an adversary can manipulate Smart_Bank_USDT_Balance() with an exogenous USDT transfer, then exploit the mismatch between the buy and sell formulas in a single tx (using flash-loaned liquidity) to drain USDT and SBT without net depositing equivalent value.
Invariant:
For any sequence of user interactions using Smart_Bank’s Buy_SBT and Sell_SBT functions (and related staking/loan logic) from a public pre-state σ_B, if a user starts and ends with zero net SBT exposure to Smart_Bank (i.e., returns at least as many SBT to the contract as they withdrew), then the user’s net USDT received from Smart_Bank, after accounting for protocol fees and any USDT they transferred into the contract, should be less than or equal to zero; equivalently, Smart_Bank should not pay out more USDT than it receives in such a closed SBT round-trip.
Breakpoint (code-level violation):
In Contract.sol for Smart_Bank 0x2b45…f351, the private helpers SBT_Price() and SBT_Price_Sell(uint256 Value) are defined as SBT_Price() = (Smart_Bank_USDT_Balance() * 1018) / Smart_Bank__SBT_Balance() and SBT_Price_Sell(Value) = (Smart_Bank_USDT_Balance() * 1018) / (Value + Smart_Bank__SBT_Balance()), where Smart_Bank_USDT_Balance() = USDT.balanceOf(address(this)) / 10**18; in Sell_Token(uint256 X), the contract then pays USDT.safeTransfer(msg.sender, (X * SBT_Price_Sell(X) * 90) / 100). Because Smart_Bank_USDT_Balance() uses the raw ERC20 balance, an adversary can first transfer 950,000 USDT directly into the contract to increase Smart_Bank_USDT_Balance() without increasing Smart_Bank__SBT_Balance(), then invoke Buy_Token and Sell_Token with X_buy = 20,000,000 and X_sell = 1,299,884 in the same tx, causing the contract to pay out more than 1.9M USDT while only accounting for ~1.91M USDT of inbound transfers, violating the invariant that closed SBT round-trips should not yield positive net USDT.
Detailed mechanism:
From the verified Smart_Bank source, we have:\n- Smart_Bank_USDT_Balance() = USDT.balanceOf(address(this)) / 1018;\n- Smart_Bank__SBT_Balance() = SBT.balanceOf(address(this)) / 1018;\n- SBT_Price() = (Smart_Bank_USDT_Balance() * 1018) / Smart_Bank__SBT_Balance();\n- SBT_Price_Sell(uint256 Value) = (Smart_Bank_USDT_Balance() * 1018) / (Value + Smart_Bank__SBT_Balance()).\nBuy_Token(uint256 X) (called via Buy_SBT) charges the user USDT.safeTransferFrom(msg.sender, address(this), X * SBT_Price()) and sends X * 1018 SBT. Sell_Token(uint256 X) (called via Sell_SBT) takes X * 1018 SBT from the user and pays (X * SBT_Price_Sell(X) * 90) / 100 USDT. These formulas assume that Smart_Bank_USDT_Balance and Smart_Bank__SBT_Balance reflect only the protocol’s controlled reserves, but they are in fact the live token balances that can be manipulated by arbitrary external transfers.\nIn the exploit tx, helper 0x88f9e1 first borrows 1,950,000 USDT from Pancake V3 pool 0x3669…2050 via a flash loan. It then calls USDT.transfer(0x2b45…f351, 950,000 USDT), raising Smart_Bank_USDT_Balance() before any Smart_Bank function is called. With this inflated USDT balance, the adversary calls the Buy_Token-equivalent function (selector 0x4eda1f98) with X_buy = 20,000,000, causing Smart_Bank to compute a high SBT_Price() and charge USDT.safeTransferFrom(0x88f9e1, 0x2b45…f351, 959,484.79032011366 USDT) while sending 20,000,000 SBT to 0x88f9e1. Next, the adversary calls Sell_Token-equivalent function (selector 0x25115948) with X_sell = 1,299,884, at which point Smart_Bank_USDT_Balance() includes both the original USDT reserves and the two previous inbound transfers; SBT_Price_Sell(X_sell) is computed off this inflated balance and a reduced SBT reserve (20,999,916.4308 − 20,000,000 + 1,299,884), and Sell_Token pays USDT.safeTransfer(0x2b45…f351 -> 0x88f9e1, 1,966,930 USDT).\nAcross these three USDT transfers involving Smart_Bank, the contract receives 950,000 + 959,484.79032011366 ≈ 1,909,484.79032011366 USDT and pays out 1,966,930 USDT, a net loss of exactly 57,445.20967988634 USDT as independently confirmed by usdt_wbnb_extended_seed_tx.json. At the same time, Smart_Bank sends out 20,000,000 SBT and takes back 1,299,884 SBT, for a net SBT loss of 18,700,116 tokens. The adversary’s flash loan and donation exploit the fact that Smart_Bank’s pricing formulas use raw balances and ignore the provenance of USDT/SBT in the pool: the protocol mistakenly treats the 950,000 USDT donation as part of its price backing but then effectively returns most of it plus additional USDT and SBT to the attacker. This is a pure accounting/price-curve bug; no privileged roles are used, and the same pattern can be reproduced by any unprivileged account with access to USDT and SBT and optional flash-loan liquidity.
Vulnerable components:
From the verified Smart_Bank source, we have:\n- Smart_Bank_USDT_Balance() = USDT.balanceOf(address(this)) / 1018;\n- Smart_Bank__SBT_Balance() = SBT.balanceOf(address(this)) / 1018;\n- SBT_Price() = (Smart_Bank_USDT_Balance() * 1018) / Smart_Bank__SBT_Balance();\n- SBT_Price_Sell(uint256 Value) = (Smart_Bank_USDT_Balance() * 1018) / (Value + Smart_Bank__SBT_Balance()).\nBuy_Token(uint256 X) (called via Buy_SBT) charges the user USDT.safeTransferFrom(msg.sender, address(this), X * SBT_Price()) and sends X * 1018 SBT. Sell_Token(uint256 X) (called via Sell_SBT) takes X * 1018 SBT from the user and pays (X * SBT_Price_Sell(X) * 90) / 100 USDT. These formulas assume that Smart_Bank_USDT_Balance and Smart_Bank__SBT_Balance reflect only the protocol’s controlled reserves, but they are in fact the live token balances that can be manipulated by arbitrary external transfers.\nIn the exploit tx, helper 0x88f9e1 first borrows 1,950,000 USDT from Pancake V3 pool 0x3669…2050 via a flash loan. It then calls USDT.transfer(0x2b45…f351, 950,000 USDT), raising Smart_Bank_USDT_Balance() before any Smart_Bank function is called. With this inflated USDT balance, the adversary calls the Buy_Token-equivalent function (selector 0x4eda1f98) with X_buy = 20,000,000, causing Smart_Bank to compute a high SBT_Price() and charge USDT.safeTransferFrom(0x88f9e1, 0x2b45…f351, 959,484.79032011366 USDT) while sending 20,000,000 SBT to 0x88f9e1. Next, the adversary calls Sell_Token-equivalent function (selector 0x25115948) with X_sell = 1,299,884, at which point Smart_Bank_USDT_Balance() includes both the original USDT reserves and the two previous inbound transfers; SBT_Price_Sell(X_sell) is computed off this inflated balance and a reduced SBT reserve (20,999,916.4308 − 20,000,000 + 1,299,884), and Sell_Token pays USDT.safeTransfer(0x2b45…f351 -> 0x88f9e1, 1,966,930 USDT).\nAcross these three USDT transfers involving Smart_Bank, the contract receives 950,000 + 959,484.79032011366 ≈ 1,909,484.79032011366 USDT and pays out 1,966,930 USDT, a net loss of exactly 57,445.20967988634 USDT as independently confirmed by usdt_wbnb_extended_seed_tx.json. At the same time, Smart_Bank sends out 20,000,000 SBT and takes back 1,299,884 SBT, for a net SBT loss of 18,700,116 tokens. The adversary’s flash loan and donation exploit the fact that Smart_Bank’s pricing formulas use raw balances and ignore the provenance of USDT/SBT in the pool: the protocol mistakenly treats the 950,000 USDT donation as part of its price backing but then effectively returns most of it plus additional USDT and SBT to the attacker. This is a pure accounting/price-curve bug; no privileged roles are used, and the same pattern can be reproduced by any unprivileged account with access to USDT and SBT and optional flash-loan liquidity.
Conditions required for the exploit (ACT opportunity):
Seed transaction balance diff excerpt (USDT & SBT):
[
{
"token": "0x55d398326f99059ff775485246999027b3197955",
"holder": "0x36696169c63e42cd08ce11f5deebbcebae652050",
"before": "36133491513892207520461026",
"after": "36134486013892207520461026",
"delta": "994500000000000000000",
"balances_slot": "1",
"slot_key": "0x4b4dfb61299ca62a744d1ae05c6e24e84740e94efd86eec09992191d35df35c4",
"contract_name": "BEP20USDT"
},
{
"token": "0x55d398326f99059ff775485246999027b3197955",
"holder": "0x2b45dd1d909c01aad96fa6b67108d691b432f351",
"before": "57455165109033599609515",
"after": "9955429147259609515",
"delta": "-57445209679886340000000",
"balances_slot": "1",
"slot_key": "0x87c17ff7bc843b6009e27da1c090f17e711ae6ed4f6be458b92ea9392953eadc",
"contract_name": "BEP20USDT"
},
{
"token": "0x55d398326f99059ff775485246999027b3197955",
"holder": "0x3026c464d3bd6ef0ced0d49e80f171b58176ce32",
"before": "123564839816",
"after": "56450709680009904839816",
"delta": "56450709679886340000000",
"balances_slot": "1",
"slot_key": "0x87c83e759d7b138d17b0e45f5f685f0c63524d86ad54e2a2f032a714b034a9ee",
"contract_name": "BEP20USDT"
},
{
"token": "0x94441698165fb7e132e207800b3ea57e34c93a72",
"holder": "0x2b45dd1d909c01aad96fa6b67108d691b432f351",
"before": "20999916430830343150012642",
"after": "2299800430830343150012642",
"delta": "-18700116000000000000000000",
"balances_slot": "0",
"slot_key": "0x80e24935e0b7a44eb071f236ef12dd8f0eda2b64eaab9e861ff84745818197c2",
"contract_name": "Smart_Bank_Token"
},
{
"token": "0x94441698165fb7e132e207800b3ea57e34c93a72",
"holder": "0x88f9e1799465655f0dd206093dbd08922a1d9e28",
"before": "0",
"after": "18700116000000000000000000",
"delta": "18700116000000000000000000",
"balances_slot": "0",
"slot_key": "0x62beb675b005c77f080f94ff9b46d61a7fc1f39f886c48a00838e11c357fdd56",
"contract_name": "Smart_Bank_Token"
}
]
The adversary executes a single, carefully constructed transaction via a freshly deployed helper contract that (1) takes a USDT flash loan from a Pancake V3 pool, (2) donates USDT directly to Smart_Bank to manipulate its internal price, (3) performs a large Buy_SBT and a partial Sell_SBT on the mispriced bonding curve to extract USDT and SBT, (4) repays the flash loan with fee, and (5) forwards the net USDT profit to the originating EOA.
EOA 0x3026c4…ce32 deploys helper contract 0x88f9e1, which will act as the orchestrator for flash loans and Smart_Bank interactions in the subsequent exploit tx.
Transactions:
Evidence notes:
artifacts/root_cause/data_collector/iter_1/address/56/0x88f9e1799465655f0dd206093dbd08922a1d9e28/txlist.json shows tx 0xf23338…d7ff as the creation of 0x88f9e1 by 0x3026c4…ce32.
Helper 0x88f9e1 calls Pancake V3 pool 0x3669…2050 to obtain a 1,950,000 USDT flash loan; the pool transfers USDT from its reserves to 0x88f9e1 and later expects principal plus a 0.05% fee to be returned within the same transaction.
Transactions:
Evidence notes:
debug_trace_call_tracer.json shows 0x88f9e1 calling 0x3669…2050 with selector 0x490e6cbc, followed by USDT.transfer(0x3669…2050 -> 0x88f9e1, 1,950,000 * 10^18) and a later USDT.transfer(0x88f9e1 -> 0x3669…2050, 1,950,994.5 * 10^18); usdt_wbnb_extended_seed_tx.json confirms the pool’s net +994.5 USDT balance change.
Helper 0x88f9e1 donates 950,000 USDT to Smart_Bank, calls its Buy_SBT-equivalent function with X_buy = 20,000,000 to exchange 959,484.79032011366 USDT for 20,000,000 SBT, then calls its Sell_SBT-equivalent with X_sell = 1,299,884 to exchange 1,299,884 SBT for 1,966,930 USDT; this sequence exploits Smart_Bank’s price functions to cause a net outflow of 57,445.20967988634 USDT and 18,700,116 SBT from Smart_Bank.
Transactions:
Evidence notes:
debug_trace_call_tracer.json shows USDT.transfer(0x88f9e1 -> 0x2b45…f351, 950,000 USDT), USDT.transferFrom(0x88f9e1 -> 0x2b45…f351, 959,484.79032011366 USDT), SBT.transfer(0x2b45…f351 -> 0x88f9e1, 20,000,000 SBT), SBT.transferFrom(0x88f9e1 -> 0x2b45…f351, 1,299,884 SBT), and USDT.transfer(0x2b45…f351 -> 0x88f9e1, 1,966,930 USDT). Smart_Bank Contract.sol defines SBT_Price() and SBT_Price_Sell(Value) in terms of Smart_Bank_USDT_Balance() and Smart_Bank__SBT_Balance(), which use raw token balances and are thus sensitive to the initial 950,000 USDT donation.
Helper 0x88f9e1 repays 1,950,994.5 USDT (principal plus fee) to the Pancake V3 pool, then transfers 56,450.70967988634 USDT to the originating EOA 0x3026c4…ce32 and retains 18,700,116 SBT. The EOA’s net portfolio value in USDT increases by 56,450.70967988634 after accounting for the flash-fee and gas.
Transactions:
Evidence notes:
debug_trace_call_tracer.json contains USDT.transfer(0x88f9e1 -> 0x3669…2050, 1,950,994.5 USDT) and USDT.transfer(0x88f9e1 -> 0x3026c4…ce32, 56,450.70967988634 USDT). usdt_wbnb_extended_seed_tx.json records the corresponding USDT deltas for the pool ( +994.5 USDT ) and EOA 0x3026c4…ce32 ( +56,450.70967988634 USDT ).
Total protocol-side losses:
During the exploit tx, Smart_Bank loses 57,445.20967988634 USDT and 18,700,116 SBT from its internal reserves. The USDT loss is immediately crystallized as profit for the adversary cluster (with 56,450.70967988634 USDT flowing to EOA 0x3026c4…ce32 and 994.5 USDT accruing as flash fee to the Pancake pool), while the SBT loss leaves Smart_Bank with significantly reduced SBT backing and exposes remaining users to potential further dilution or subsequent liquidation of the attacker’s SBT holdings. The exploit demonstrates that Smart_Bank’s USDT/SBT bonding curve can be profitably abused by any sufficiently capitalized adversary, severely undermining the protocol’s economic security.