BSC PoolWithdraw Signature-Bypass Drains USDT Pool

1. Incident Overview TL;DR

An unprivileged adversary repeatedly drained USDT from pool contract 0x20dbf42970eb3fabe62615534c4ef15fd4d59596 on BSC by calling poolWithdraw(address,uint256,address,uint256,address[],uint256,bytes[]) (0xc7e36d91) with allSigners=[] and signatures=[].

The root cause is a function-level authorization gap: poolWithdraw allows value transfer and internal pool-balance decrement without enforcing the configured signer quorum (requiredSignatures=3) when signer arrays are empty.

The attack is ACT (is_act=true) because it is permissionless and reproducible from unrelated EOAs using public on-chain data only.

2. Key Background

Victim proxy: 0x20dbf42970eb3fabe62615534c4ef15fd4d59596.
Delegate implementation observed in traces: 0x79f9b0b81e08efc3690bb78611620cb1b708fccb.
Target token: USDT 0x55d398326f99059ff775485246999027b3197955.
Runtime selector mapping identifies:
- 0xc7e36d91 -> poolWithdraw(address,uint256,address,uint256,address[],uint256,bytes[])
- 0x43251e03 -> poolFeeWithdraw(address,uint256,address,uint256,uint256,address[],bytes[])

BSC PoolWithdraw Signature-Bypass Drains USDT Pool

USD Estimate Context

Token Loss Details

Exploit Transactions

Victim Addresses

Similar Incidents

Public Mint Drains USDT Pair

BNB-chain constructor exploit drains full USDT pool balance

InugamiStaking Expired-Pool Debt Initialization Bypass (BSC)

Root Cause Analysis

BSC PoolWithdraw Signature-Bypass Drains USDT Pool

1. Incident Overview TL;DR

2. Key Background

Public mint flaw drains USDT from c3b1 token pool

BSC staking pool reentrancy drain

0x3Af7 burn-rate manipulation drains WBNB from BSC pool

3. Vulnerability Analysis & Root Cause Summary

4. Detailed Root Cause Analysis

5. Adversary Flow Analysis

6. Impact & Losses

7. References