Clara
All incidents

BUBU2 Permissionless LP-Balance Burn Trigger Exploit

Share
Mar 01, 2026 00:49 UTCAttackLoss: 1,647,778,423.3 BUBU2, 32.18 WBNBManually checked1 exploit txWindow: Atomic
Estimated Impact
1,647,778,423.3 BUBU2, 32.18 WBNB
Label
Attack
Exploit Tx
1
Addresses
2
Attack Window
Atomic
Mar 01, 2026 00:49 UTC → Mar 01, 2026 00:49 UTC

Exploit Transactions

TX 1BSC
0xd6e5d399b4a9df00bc890aa1462a8de01e8e28027d8a5d5607516ec54ce251a6
Mar 01, 2026 00:49 UTCExplorer

Victim Addresses

0x3ff3f18b5c113fac5e81b43f80bf438b99edee52BSC
0x774547ea9d2a0cc79db3288f61e989f1b06bcd2fBSC

Loss Breakdown

1,647,778,423.3BUBU2
32.18WBNB

Similar Incidents

CS Pair Balance Burn Drain

43%
May 23, 2023 16:43 UTC·954,285 USDT

SafeMoon LP Burn Drain

38%
Mar 28, 2023 19:26 UTC·28,355.85 WBNB

STO Pending-Sell Burn Reserve Manipulation

36%
Feb 23, 2026 11:39 UTC·26.57 BNB +1 more

Sheep Burn Reserve Drain

35%
Feb 10, 2023 10:38 UTC·9.54 WBNB

BIGFI Burn Bug Drains PancakeSwap

34%
Mar 22, 2023 12:37 UTC·30,466.1 USDT

GPT Public LP-Burn Exploit

34%
May 24, 2023 16:00 UTC·58,520.32 USDT

Root Cause Analysis

BUBU2 Permissionless LP-Balance Burn Trigger Exploit

1. Incident Overview TL;DR

On BSC block 83955808, transaction 0xd6e5d399b4a9df00bc890aa1462a8de01e8e28027d8a5d5607516ec54ce251a6 executed a permissionless, flash-loan-backed exploit against BUBU2 liquidity.

An unprivileged adversary triggered BUBU2’s internal daily burn/mint routine from a normal transfer path. That routine directly debited BUBU2 tokens from the live BUBU2-WBNB LP pair (0x774547ea9d2a0cc79db3288f61e989f1b06bcd2f) and then called sync(), forcing the AMM to accept manipulated reserves. The adversary then sold BUBU2 into the distorted pool, repaid the flash loan, and realized net WBNB profit.

Root cause: the token contract allows non-exempt external transfer flow to permissionlessly invoke _triggerDailyBurnAndMint(), and that function performs LP-balance debits via super._update(uniswapPair, ...) before reserve resync.

2. Key Background

BUBU2 (0x3ff3f18b5c113fac5e81b43f80bf438b99edee52) is traded against WBNB (0xbb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c) on PancakeSwap pair 0x774547ea9d2a0cc79db3288f61e989f1b06bcd2f.

For AMM safety, reserve-affecting token movements must remain consistent with swap/liquidity accounting. If a token contract can directly debit the pair’s balance out-of-band and then force reserve sync, market price can be pushed to an artificial state.

The exploit used a public flashloan source (0x6098a5638d8d7e9ed2f952d35b2b67c34ec6b476) and public router paths. No privileged owner/admin function was called by the attacker transaction.

3. Vulnerability Analysis & Root Cause Summary

The vulnerable logic is in BUBU2 transfer handling and the burn/mint trigger routine.

First, _update contains a trigger gate that is reachable from ordinary non-exempt transfer senders. When conditions are met, it calls _triggerDailyBurnAndMint().

Second, _triggerDailyBurnAndMint() computes rounds = (nowTime - lastTriggerTime) / TRIGGER_INTERVAL, so inactivity can magnify the amount moved. It then calculates burn/award quantities from current LP token balance and executes direct balance debits from the pair address to non-pair destinations.

Third, it calls IUniswapV2Pair(uniswapPair).sync() immediately afterward. This commits manipulated balances into reserves.

This violates LP reserve-integrity and least-privilege principles for reserve-affecting state transitions. The exploit is ACT (is_act=true) because any unprivileged actor can combine the same public state and public primitives to realize profit.

4. Detailed Root Cause Analysis

4.1 Code-Level Breakpoint (BUBU2 Source)

Relevant victim code (BUBU2 source):

if (
    !swapping &&
    !isTaxExempt[from] &&
    from != address(this) &&
    !pairs[from] &&
    !isAdd &&
    from != address(uniswapV2Router) &&
    burnAndMintSwitch
) {
    swapping = true;
    _triggerDailyBurnAndMint();
    swapping = false;
}

uint256 rounds = (nowTime - lastTriggerTime) / TRIGGER_INTERVAL;
...
uint256 blackAndLPAwardAmount = liquidityPairBalance
    .mul(BURN_BLACK_PERCENT.add(BURN_AWARD_PERCENT))
    .mul(rounds)
    .div(BASE_PERCENT);
...
super._update(uniswapPair, address(lpAddress), holdLPAwardAmount);
super._update(uniswapPair, BLACK_ADDRESS, blackAmount);
IUniswapV2Pair(uniswapPair).sync();

This is the direct invariant breakpoint: pair-held token balances are altered by token-internal logic not tied to normal AMM reserve-preserving operations.

4.2 On-Chain Realization in the Incident Transaction

High-verbosity trace confirms the exploit stages in the same transaction:

trace line 40513: ...::flashLoan(18400000000000000000, ...)
trace line 40631: emit TriggerDailyBurnAndMint(... rounds: 199)
trace line 40632: 0x7745...cd2f::sync()
trace line 40763: WBNB::transfer(0x000000006723cfa477656c08d08882d366c0e8fb, 32176361483602658753)

Balance-diff evidence for tx 0xd6e5...251a6 matches this mechanism:

  • Pair BUBU2 dropped by 1647778423303789868831101738.
  • Burn address BUBU2 increased by 1381589928535545711745314609.
  • Attacker sender WBNB increased from 99074355704571107 to 32275435839307229860 (+32176361483602658753).

4.3 ACT Opportunity Conditions and Predicate

ACT pre-state at block 83955808:

  • burnAndMintSwitch enabled.
  • lastTriggerTime stale enough to produce rounds > 0 (observed rounds=199).
  • Public flashloan liquidity and public AMM route availability.

Success predicate was profit in WBNB after loan repayment and fees. The transaction paid about 0.1000314942127 BNB-equivalent as tx value+gas, while ending with strictly positive WBNB delta.

5. Adversary Flow Analysis

Adversary-related accounts identified in this incident:

  • EOA sender/profit recipient: 0x000000006723cfa477656c08d08882d366c0e8fb
  • Exploit executor contract: 0x936eee4603751956db2e1b0fb13885a1176542df
  • Flashloan callback/helper contract: 0xaeee14beaac31e7c7c03720f1b173a3fe110664d

Victim-side components:

  • BUBU2 token: 0x3ff3f18b5c113fac5e81b43f80bf438b99edee52
  • BUBU2-WBNB pair: 0x774547ea9d2a0cc79db3288f61e989f1b06bcd2f

End-to-end flow:

  1. Flashloan bootstrap: attacker path borrows 18.4 WBNB from public pool.
  2. Price-conditioning leg: swap path obtains BUBU2 and executes transfer flow that triggers _triggerDailyBurnAndMint.
  3. Invariant break realization: LP pair BUBU2 is forcibly moved to burn/award addresses, then pair sync() updates reserves to manipulated values.
  4. Monetization: attacker sells BUBU2 against distorted reserves, repays flashloan principal, and transfers residual WBNB profit to sender EOA.

This is a single adversary-crafted public transaction and does not rely on private keys, privileged contracts, or non-public data.

6. Impact & Losses

Measured transaction-level impacts:

  • BUBU2 drained from LP pair balance: 1647778423303789868831101738.
  • Net WBNB gain to adversary sender: 32176361483602658753.

Effect: severe LP reserve distortion and localized mispricing enabled deterministic extraction of value in one block.

Security principles violated:

  • AMM reserve integrity.
  • Least-privilege for reserve-affecting state transitions.
  • Invariant-preserving accounting between pair balances and swap logic.

7. References

  1. Seed transaction trace: 0xd6e5d399b4a9df00bc890aa1462a8de01e8e28027d8a5d5607516ec54ce251a6 (BSC).
  2. Seed balance diff for the same tx (native + ERC20 deltas).
  3. Verified BUBU2 source used for breakpoint identification (_update, _triggerDailyBurnAndMint).
  4. Key contracts:
    • BUBU2: 0x3ff3f18b5c113fac5e81b43f80bf438b99edee52
    • BUBU2-WBNB pair: 0x774547ea9d2a0cc79db3288f61e989f1b06bcd2f
    • WBNB: 0xbb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c
    • Flashloan pool used in flow: 0x6098a5638d8d7e9ed2f952d35b2b67c34ec6b476