PGNLZ Pre Burn Exploit on BSC PGNLZ

1. Incident Overview TL;DR

On BSC (chainid 56), a single constructor-based transaction 0xc7270212846136f3d103d1802a30cdaa6f8f280c4bce02240e99806101e08121 from EOA 0xfe95ecc0795399662221ab48948cdcf3f6d4aa86 deployed a one-shot orchestrator contract 0x6947cc82a49a20e2fd8ebb699230b92e7f1a6bfa. During its constructor, the orchestrator routed a pre-trading PGNLZ sell through Pancake router 0x10ed43c718714eb63d5aa57b78b54704e256024e into the PGNLZ/USDT PancakePair 0x8cd8e57bcd00857bebe891a2349f32738cb7e658, triggered PGNLZ’s LP burn mechanism, and then drained almost all BEP20USDT from the pool.

The root cause is a flawed pre-trading LP burn design in the PGNLZ token contract 0x6b923cf1d592e6aa07ea7249d817a843c30ac69e. A large pendingBurnFromLP amount accumulated from earlier sells while trading was disabled. When the attacker performed a sufficiently large sell into the PGNLZ/USDT pair before trading was enabled, PGNLZ’s internal _handleSellTax logic called _executeBurnFromLP, which burned the accumulated pendingBurnFromLP directly from the LP’s PGNLZ balance to the DEAD address and then synced the pair. USDT reserves and LP totalSupply remained effectively unchanged, leaving the pool severely mispriced in favor of PGNLZ.

From this mispriced state, the orchestrator executed swaps that sold the attacker’s PGNLZ into BEP20USDT at an artificially high price, transferring 100901091670654947873079 BEP20USDT from the PGNLZ/USDT pair to the attacker-controlled cluster. Liquidity providers in the PGNLZ/USDT pool effectively lost the USDT backing their LP tokens, while their LP totalSupply and on-chain representation of liquidity did not decrease.

2. Key Background

PGNLZ (0x6b923cf1d592e6aa07ea7249d817a843c30ac69e) is a BEP20 token on BSC that integrates tax, referral, and pre-trading controls. Its compiled artifact shows an ERC20-like layout with additional state variables, including tradingEnabled and pendingBurnFromLP, used to manage a pre-trading LP burn mechanism. The token is paired with BEP20USDT (0x55d398326f99059ff775485246999027b3197955) on a Pancake V2-style pair 0x8cd8e57bcd00857bebe891a2349f32738cb7e658.

From the PGNLZ compilation metadata:

// PGNLZ storage layout (excerpt from verified artifact)
{
  "storage": [
    { "label": "_balances", "slot": "0", "type": "mapping(address => uint256)" },
    { "label": "_allowances", "slot": "1", "type": "mapping(address => mapping(address => uint256))" },
    { "label": "_totalSupply", "slot": "2", "type": "uint256" },
    { "label": "_owner", "slot": "5", "type": "address" },
    { "label": "tradingEnabled", "slot": "10", "type": "bool" },
    { "label": "_inSwap", "slot": "10", "type": "bool" },
    { "label": "accumulatedForLP", "slot": "11", "type": "uint256" },
    { "label": "pendingBurnFromLP", "slot": "12", "type": "uint256" }
  ]
}

The AMM side is a standard constant-product pair. Reserve snapshots for the PGNLZ/USDT pair across three relevant blocks show stable pre-state reserves and totalSupply before the exploit, followed by a collapse in reserves while LP totalSupply remains unchanged:

// PGNLZ/USDT pair reserves and LP supply (artifacts/root_cause/data_collector/iter_4/.../pair_reserves_kLast_totalSupply_snapshots.json)
{
  "pair": "0x8cd8e57bcd00857bebe891a2349f32738cb7e658",
  "blocks": [77720527, 77721026, 77721027],
  "snapshots": [
    {
      "block": 77721026,
      "getReserves_decoded": {
        "reserve0": 100901107494979015602304,
        "reserve1": 982506561547683163020775
      },
      "totalSupply_decoded": 316170103368536009213473
    },
    {
      "block": 77721027,
      "getReserves_decoded": {
        "reserve0": 15824324067729225,
        "reserve1": 14849037069946758939
      },
      "totalSupply_decoded": 316170103368536009213473
    }
  ]
}

Here reserve0 is BEP20USDT and reserve1 is PGNLZ. Between blocks 77721026 (pre-state σ_B) and 77721027 (post-exploit), both reserves collapse by roughly five orders of magnitude while LP totalSupply remains identical, meaning the LP token supply no longer reflects the backing reserves.

The adversary-related cluster includes:

• EOA attacker: 0xfe95ecc0795399662221ab48948cdcf3f6d4aa86
• Single-use orchestrator (contract-creation target of the seed tx): 0x6947cc82a49a20e2fd8ebb699230b92e7f1a6bfa
• Helper contract receiving intermediate BEP20USDT flows: 0xd93c837a05915facaee1cb1ea0628283b6ef5ad7

Public artifacts (receipt, traces, and balance diffs) are sufficient to reconstruct the entire exploit path from this adversary cluster and the victim pool.

3. Vulnerability Analysis & Root Cause Summary

The vulnerability is an economic design flaw in PGNLZ’s pre-trading LP burn mechanism, not a low-level arithmetic or access-control bug. While trading is disabled, sells into the PGNLZ/USDT pair contribute to a pendingBurnFromLP accumulator instead of immediately burning tokens from the pool. When certain conditions are later met (a sufficiently large sell and trading still restricted), PGNLZ’s _handleSellTax triggers _executeBurnFromLP, which burns pendingBurnFromLP units of PGNLZ directly from the pair’s balance to the DEAD address. Crucially, the burn is not matched by a corresponding change in USDT reserves or LP totalSupply.

This pre-trading burn design violates the constant-product AMM invariant expected by liquidity providers: large amounts of PGNLZ are removed from the pool “for free,” leaving USDT reserves intact and LP totalSupply unchanged. As a result, each LP token claims far more USDT than it should relative to the remaining PGNLZ reserves, and the on-chain price becomes heavily skewed in favor of selling PGNLZ for USDT.

The adversary’s orchestrator transaction exploits this mispricing in a single block. After _executeBurnFromLP burns the accumulated pendingBurnFromLP from the LP, the orchestrator swaps the attacker’s PGNLZ balance into BEP20USDT at the distorted rate, draining almost all USDT from the PGNLZ/USDT pair. Because the exploit uses only public contracts (PGNLZ, Pancake router, and the pair) plus an attacker-deployed orchestrator, it constitutes an anyone-can-take (ACT) opportunity from the publicly reconstructible pre-state at block 77721026.

4. Detailed Root Cause Analysis

4.1 Pre-state σ_B at block 77721026

At block 77721026 (σ_B), the PGNLZ/USDT pair holds large and stable reserves:

• BEP20USDT reserve (pair reserve0): 100901107494979015602304
• PGNLZ reserve (pair reserve1): 982506561547683163020775
• LP totalSupply: 316170103368536009213473

PGNLZ’s on-chain state at this point includes:

• A large pendingBurnFromLP value (from previous pre-trading sells).
• tradingEnabled is still false.
• The attacker EOA holds both PGNLZ and BEP20USDT balances, as captured in balance_diff.json.

From the ERC20 balance diffs for the seed transaction:

// Seed transaction balance diffs (artifacts/root_cause/seed/.../balance_diff.json, excerpt)
{
  "erc20_balance_deltas": [
    {
      "token": "0x55d398326f99059ff775485246999027b3197955",
      "holder": "0x8cd8e57bcd00857bebe891a2349f32738cb7e658",
      "before": "100901107494979015602304",
      "after": "15824324067729225",
      "delta": "-100901091670654947873079",
      "contract_name": "BEP20USDT"
    },
    {
      "token": "0x55d398326f99059ff775485246999027b3197955",
      "holder": "0xfe95ecc0795399662221ab48948cdcf3f6d4aa86",
      "before": "311973556816233427705",
      "after": "101213065227471181300784",
      "delta": "100901091670654947873079",
      "contract_name": "BEP20USDT"
    },
    {
      "token": "0x6b923cf1d592e6aa07ea7249d817a843c30ac69e",
      "holder": "0x8cd8e57bcd00857bebe891a2349f32738cb7e658",
      "before": "982506561547683163020775",
      "after": "14849037069946758939",
      "delta": "-982491712510613216261836",
      "contract_name": "PGNLZ"
    },
    {
      "token": "0x6b923cf1d592e6aa07ea7249d817a843c30ac69e",
      "holder": "0x000000000000000000000000000000000000dead",
      "before": "1458101860936293362145078",
      "after": "2440608422483966525165853",
      "delta": "982506561547673163020775",
      "contract_name": "PGNLZ"
    }
  ]
}

These diffs precisely match the pair reserve snapshots: a huge amount of PGNLZ is removed from the pair and sent to DEAD, while the pair’s USDT reserve falls by exactly the amount that the attacker EOA gains.

4.2 Vulnerable pre-trading LP burn logic

PGNLZ’s design accumulates LP burn amounts in pendingBurnFromLP during a pre-trading phase. When a sell exceeding MIN_SELL_FOR_BURN occurs under the right conditions, _handleSellTax invokes _executeBurnFromLP. Conceptually, the relevant logic is:

• Check whether trading is in the pre-trading phase and pendingBurnFromLP > 0.
• For a qualifying sell, transfer pendingBurnFromLP PGNLZ from the LP’s token balance to the DEAD address.
• Call sync on the PGNLZ/USDT pair to update reserves.

Because the burn removes only PGNLZ from the LP and does not adjust USDT reserves or LP totalSupply, LP tokens become over-collateralized in USDT relative to their remaining PGNLZ backing. The AMM’s internal invariant (which liquidity providers implicitly rely on) is broken at this point.

4.3 Exploit transaction mechanics

The seed transaction is a contract-creation tx from the attacker EOA that deploys orchestrator 0x6947cc82a49a20e2fd8ebb699230b92e7f1a6bfa. The orchestrator’s constructor:

1. Interfaces with Pancake router 0x10ed43c718714eb63d5aa57b78b54704e256024e, PGNLZ, and the PGNLZ/USDT pair.
2. Routes a pre-trading PGNLZ sell from the attacker into the pair, which triggers PGNLZ _handleSellTax and in turn _executeBurnFromLP.
3. _executeBurnFromLP burns the entire pendingBurnFromLP from the pair’s PGNLZ balance to DEAD and syncs the pair.
4. With the pair now mispriced (very low PGNLZ, unchanged USDT up to this point, constant LP totalSupply), the orchestrator performs swaps that sell the attacker’s PGNLZ holdings into BEP20USDT at the distorted rate.
5. BEP20USDT proceeds flow via helper contract 0xd93c837a05915facaee1cb1ea0628283b6ef5ad7 and end up under attacker control.

The balance diffs and reserve snapshots show:

• PGNLZ burned from the pair to DEAD: approximately 9.825e23 units (the pendingBurnFromLP realized plus remaining reserves moved).
• Pair USDT outflow: -100901091670654947873079 BEP20USDT.
• Attacker USDT inflow: +100901091670654947873079 BEP20USDT.
• LP totalSupply unchanged at 316170103368536009213473.

Native balance deltas for the attacker EOA show:

• Before: 213006915335609216 wei
• After: 212701890430584616 wei
• Gas cost: 305024905024600 wei

This confirms that all fees were paid in BNB, and the BEP20USDT gain is not offset by any USDT-denominated fee.

4.4 Invariant and concrete breakpoint

The implicit invariant for the PGNLZ/USDT pair under a constant-product AMM is:

• For any sequence of trades, LP token holders should not be able to withdraw more BEP20USDT than justified by the value of their contributed PGNLZ and USDT, given AMM pricing and fees.

PGNLZ’s pre-trading LP burn design introduces a concrete breakpoint:

• When pendingBurnFromLP > 0 and a qualifying pre-trading sell occurs, _executeBurnFromLP burns pendingBurnFromLP tokens from the LP’s PGNLZ balance to DEAD and syncs, without reducing USDT reserves or LP totalSupply.

This operation breaks the invariant by gifting value to current and future PGNLZ sellers at the expense of LPs. The attacker’s orchestrator then immediately realizes this latent value by selling a relatively modest PGNLZ balance into an LP that now has drastically fewer PGNLZ and the same USDT (before swaps), obtaining nearly all remaining USDT. The invariant violation is thus localized to the combination of:

• PGNLZ state (pendingBurnFromLP), and
• The _executeBurnFromLP call to the PGNLZ/USDT pair.

5. Adversary Flow Analysis

5.1 Adversary-related cluster accounts

The adversary-related cluster consists of:

• EOA attacker: 0xfe95ecc0795399662221ab48948cdcf3f6d4aa86 (origin of the seed tx, final receiver of BEP20USDT profit).
• Orchestrator contract: 0x6947cc82a49a20e2fd8ebb699230b92e7f1a6bfa (created by the seed tx; constructor executes the exploit).
• Helper contract: 0xd93c837a05915facaee1cb1ea0628283b6ef5ad7 (intermediate receiver of USDT during orchestrator execution).

These accounts are linked purely by contract creation and value flows inside the seed transaction. There is no dependency on whitelists, privileged infrastructure, or non-public contracts.

5.2 Transaction sequence b (ACT opportunity)

Sequence b is a single adversary-crafted transaction from pre-state σ_B:

• Chain: BSC (56)
• Tx: 0xc7270212846136f3d103d1802a30cdaa6f8f280c4bce02240e99806101e08121
• Type: Contract creation from attacker EOA deploying orchestrator 0x6947...

Inclusion feasibility:

• Any unprivileged BSC EOA with sufficient PGNLZ balance (to sell into the PGNLZ/USDT pair) and minimal BNB for gas can construct and broadcast a functionally equivalent transaction from the same pre-state σ_B. The transaction uses only:
  • Pancake router 0x10ed43c718714eb63d5aa57b78b54704e256024e
  • PGNLZ token 0x6b923cf1d592e6aa07ea7249d817a843c30ac69e
  • PGNLZ/USDT pair 0x8cd8e57bcd00857bebe891a2349f32738cb7e658
  • Arbitrary attacker-deployed orchestrator/helper contracts
• No whitelists, owner-only functions, or private relays are involved. The strategy relies solely on public contract interfaces and canonical on-chain state.

5.3 Step-by-step adversary execution

1. From pre-state σ_B at block 77721026, the attacker EOA holds PGNLZ and BEP20USDT; the PGNLZ/USDT pair holds large PGNLZ and USDT reserves; PGNLZ’s pendingBurnFromLP is large and tradingEnabled is false.
2. The attacker broadcasts the constructor transaction that deploys orchestrator 0x6947.... The constructor immediately:
   • Approves/uses Pancake router to route a PGNLZ sell from the attacker into the PGNLZ/USDT pair.
   • Invokes PGNLZ’s _handleSellTax, which, given pendingBurnFromLP > 0 and a qualifying amount, calls _executeBurnFromLP.
3. _executeBurnFromLP:
   • Transfers roughly 982506561547673163020775 PGNLZ from the pair’s balance to DEAD.
   • Calls sync on the pair, updating reserves. USDT reserves and LP totalSupply remain unchanged at this point.
4. With the pair now having extremely low PGNLZ reserves relative to USDT, the orchestrator executes swaps that sell the attacker’s remaining PGNLZ into BEP20USDT at a highly favorable price, effectively draining USDT from the pool.
5. BEP20USDT flows through helper contract 0xd93c8... and ends up in the attacker EOA. The final ERC20 diffs show:
   • Attacker BEP20USDT: +100901091670654947873079
   • Pair BEP20USDT: -100901091670654947873079
6. The transaction completes in a single block, leaving the PGNLZ/USDT pool with negligible PGNLZ and USDT reserves but an unchanged LP totalSupply, rendering LP tokens economically worthless.

6. Impact & Losses

The primary victim is the PGNLZ/USDT PancakePair 0x8cd8e57bcd00857bebe891a2349f32738cb7e658 and its liquidity providers.

Measured impact:

• BEP20USDT (USDT) loss from the pair: 100901091670654947873079
• BEP20USDT gain by attacker EOA: 100901091670654947873079
• PGNLZ reserves in the pair collapse from 982506561547683163020775 to 14849037069946758939, with a corresponding burn to DEAD.
• LP totalSupply remains at 316170103368536009213473, so LP token holders are left with tokens that no longer correspond to meaningful underlying reserves.

Economic effect:

• LPs in the PGNLZ/USDT pool lose virtually all of the BEP20USDT backing their LP tokens.
• Holders of PGNLZ who relied on this pool for liquidity see the primary market for their token effectively destroyed in a single block.
• The attacker’s net profit in the BEP20USDT reference asset is at least 100901091670654947873079 units, ignoring the comparatively tiny gas cost paid in BNB (305024905024600 wei).

7. References

• Seed transaction and balance diffs:
  • Tx: 0xc7270212846136f3d103d1802a30cdaa6f8f280c4bce02240e99806101e08121 (BSC, block 77721027)
  • Seed metadata and diffs: artifacts/root_cause/seed/56/0xc7270212846136f3d103d1802a30cdaa6f8f280c4bce02240e99806101e08121/
• Victim and attacker contracts:
  • PGNLZ token (verified): 0x6b923cf1d592e6aa07ea7249d817a843c30ac69e
    • Compilation artifact and storage layout: artifacts/root_cause/seed/56/0x6b923cf1d592e6aa07ea7249d817a843c30ac69e/out/pgnlz.sol/PGNLZ.json
  • PGNLZ/USDT pair: 0x8cd8e57bcd00857bebe891a2349f32738cb7e658
    • Reserve and LP snapshots: artifacts/root_cause/data_collector/iter_4/contract/56/0x8cd8e57bcd00857bebe891a2349f32738cb7e658/pair_reserves_kLast_totalSupply_snapshots.json
  • Pancake router: 0x10ed43c718714eb63d5aa57b78b54704e256024e
  • Attacker orchestrator: 0x6947cc82a49a20e2fd8ebb699230b92e7f1a6bfa
    • Decompiled and trace data: artifacts/root_cause/data_collector/iter_1/contract/56/0x6947cc82a49a20e2fd8ebb699230b92e7f1a6bfa/
  • Helper contract: 0xd93c837a05915facaee1cb1ea0628283b6ef5ad7
• On-chain traces and receipts:
  • Call trace (debug_traceTransaction, callTracer): artifacts/root_cause/data_collector/iter_4/tx/56/0xc7270212846136f3d103d1802a30cdaa6f8f280c4bce02240e99806101e08121_callTracer.json
  • Receipt and gas details: artifacts/root_cause/data_collector/iter_1/tx/56/0xc7270212846136f3d103d1802a30cdaa6f8f280c4bce02240e99806101e08121_receipt.rpc.json

Readers can reproduce the full analysis by combining these artifacts: reconstructing pre-state σ_B from pair snapshots and token storage, re-running the call trace for the seed transaction, and verifying that the PGNLZ pre-trading burn logic and subsequent swaps lead to the observed PGNLZ burns, USDT outflows, and attacker profit.