• 149.743967145038025112 - 0.000144152801441528 = 149.743822992236583584 WBNB

This is an ACT (Adversary-Crafted Transaction) opportunity: a single, permissionless transaction crafted by an unprivileged EOA produces a strictly positive profit in the WBNB reference asset, using only publicly available contract functionality and existing liquidity.

ACT Opportunity and Profit Evidence

Pre-state at Block 73309656

Immediately before block 73309656 (pre_state_sigma_B), the canonical BSC state satisfies:

• MorningStar staking contract 0x91334D03DD9b9De8D48b50FE389337eEb759aeB1 holds 13,329,580,007,446,108,335,195,360 MSC at token address 0x713630359Cc9046869aD1642a7b61c23956425cC.
• Helper contract 0x1e70... holds a very large AMMToken/GPC balance and has allowances set on PancakeRouter 0x10ED43C718714eb63d5aA57B78B54704E256024E and the relevant AMM pairs.
• Liquidity and reserves in the MSC/GPC pair 0xAaE35C003A323D291B7293618506Aa612302B7cf, main GPC/WBNB pair 0x12dAbF..., and GPC/XDK pair 0xe3cBa5C0A8efAeDce84751aF2EFDdCf071D311a9 match the recorded trace and prestate balance diffs.

This configuration is reconstructed from:

• Seed metadata for the exploit transaction.
• Cast trace and prestateTracer-based balance diffs for 0x6c9ed4....
• Verified MorningStar source and decompiled helper source.

Snippet 1 — MSC and AMMToken balance deltas (prestateTracer diff)

Source: prestateTracer balance diff for the exploit transaction (debug_traceTransaction with prestateTracer) showing ERC20 deltas.

{
  "erc20_balance_deltas": [
    {
      "token": "0x713630359cc9046869ad1642a7b61c23956425cc",
      "holder": "0x91334d03dd9b9de8d48b50fe389337eeb759aeb1",
      "before": "13329580007446108335195360",
      "after": "0",
      "delta": "-13329580007446108335195360",
      "contract_name": "MSC"
    },
    {
      "token": "0x713630359cc9046869ad1642a7b61c23956425cc",
      "holder": "0xaae35c003a323d291b7293618506aa612302b7cf",
      "before": "1995911235000045821689622",
      "after": "8660701238723099989287302",
      "delta": "6664790003723054167597680",
      "contract_name": "MSC"
    },
    {
      "token": "0x713630359cc9046869ad1642a7b61c23956425cc",
      "holder": "0x6278fa23fbe28b9736214e03cf2030f5ee1ccac9",
      "before": "8193779314400978865562",
      "after": "6672983783037455146463242",
      "delta": "6664790003723054167597680",
      "contract_name": "MSC"
    }
  ]
}

Caption: MorningStar’s entire MSC balance (13,329,580,007,446,108,335,195,360) leaves the staking contract and is split exactly in half between the MSC/GPC pool and the MorningStar profit Gnosis Safe.

ACT Transaction and Profit Calculation

The ACT opportunity consists of a single adversary-crafted transaction:

• Chain: BSC (56)
• Tx hash: 0x6c9ed4c2d81b6abfdf297b0cbc13585ed91f2a5e69e3545d3ea4316f50021b56
• Type: adversary-crafted
• Mechanism: contract creation (runtime code executes the exploit)
• Sender/tx.origin: EOA 0xB072...

From the seed trace and balance diffs:

• Helper 0x1e70... receives 205.635720265951753886 WBNB from the GPC/WBNB pair.
• It spends 55.891753120913728774 WBNB back into that pair via PancakeRouter::swapTokensForExactTokens.
• It ends with 149.743967145038025112 WBNB and transfers this full amount to 0xB072....
• The native balance diff shows 0xB072... pays 0.000144152801441528 BNB in gas, with no other native balance changes in the adversary cluster.

Treating BNB and WBNB 1:1, the adversary’s portfolio change in the WBNB reference asset is strictly positive:

• 149.743967145038025112 - 0.000144152801441528 = 149.743822992236583584 WBNB

Snippet 2 — WBNB profit path (cast trace)

Source: cast trace for the exploit transaction, focusing on WBNB movements.

PancakePair::swap(205635720265951753886, 0, 0x1e70..., 0x)
  WBNB::transfer(0x1e70..., 205635720265951753886)
...
PancakeRouter::swapTokensForExactTokens(..., 205635720265951753886, [WBNB, AMMToken], 0x1e70..., ...)
  WBNB::transferFrom(0x1e70..., PancakePair: [0x12dAbF...], 55891753120913728774)
...
WBNB::transfer(0xB072..., 149743967145038025112)

Caption: Helper 0x1e70... receives 205.6357 WBNB, spends 55.8917 WBNB back into the GPC/WBNB pair, and then transfers the remaining 149.7439 WBNB to the adversary EOA.

Snippet 3 — Native gas cost (prestateTracer native deltas)

Source: prestateTracer native balance deltas for the exploit transaction.

{
  "native_balance_deltas": [
    {
      "address": "0xb0720d8541cd2b6fc35ccc39ec84e84383a7000b",
      "before_wei": "295154261400000000",
      "after_wei": "295010108598558472",
      "delta_wei": "-144152801441528"
    }
  ]
}

Caption: The only native BNB movement in the adversary cluster is gas paid by 0xB072..., confirming the net WBNB-equivalent profit calculation.

Vulnerability & Root Cause Analysis

Vulnerable Component: MorningStar releaseReward

The core vulnerability lies in the MorningStar staking contract’s releaseReward function. It is declared public with no access control or bounds on the fee parameter and directly spends MorningStar’s MSC balance and routes assets into AMM pools.

Snippet 4 — releaseReward implementation (MorningStar.sol)

Source: verified MorningStar staking contract source (MorningStar.sol).

function releaseReward(uint256 fee) public{
    uint256 burnFee = fee/2;
    uint256 profitFee = fee-burnFee;
    swapTokenForGPC(burnFee,uniswapV2PairGpc);
    IPancakePair(uniswapV2PairGpc).sync(); 
    IERC20(msc).safeTransfer(profit,profitFee);   
}

Caption: Any caller can choose an arbitrary fee, causing MorningStar to swap half of that MSC into the MSC/GPC pool and send the other half directly to the profit address.

Key properties:

• releaseReward(uint256 fee) is public and unguarded; there is no onlyOwner or role-based restriction.
• fee is a raw caller-supplied value; there is no check that it corresponds to accumulated rewards or any internal accounting.
• The function:
  • Computes burnFee = fee / 2.
  • Computes profitFee = fee - burnFee.
  • Calls swapTokenForGPC(burnFee, uniswapV2PairGpc) to route MSC into GPC via PancakeRouter, sending output into a fixed MSC/GPC pair.
  • Calls IPancakePair(uniswapV2PairGpc).sync() to update pair reserves.
  • Calls IERC20(msc).safeTransfer(profit, profitFee) to send the remaining MSC directly to the profit address.

Because MorningStar has pre-approved PancakeRouter to spend its MSC and holds the protocol’s staking pool balance, any arbitrary caller can:

• Make the contract spend up to its entire MSC balance into the MSC/GPC pair, shifting value into AMMToken and subsequently into GPC/WBNB liquidity.
• Transfer half of the specified fee directly to the profit address.

Exploit Mechanism: Draining MorningStar and Leveraging AMM Imbalance

The exploit transaction’s runtime execution on the deployed attack contract performs three main steps:

1. Leverage helper 0x1e70... to manipulate AMM pools and set approvals.
2. Invoke MorningStar releaseReward with fee = MorningStar.mscBalance.
3. Use AMMToken reserves and price impact to extract WBNB.

Helper Contract: _attack and tx.origin Guard

The decompiled helper contract 0x1e70... contains an _attack() function that is gated by tx.origin and orchestrates AMM interactions.

Snippet 5 — _attack entrypoint (decompiled helper)

Source: Heimdall decompiled source for helper contract 0x1e70....

function _attack() public {
    require(tx.origin == (address(store_a)), "Only owner can call this function");
    ...
    (bool success, bytes memory ret0) =
        address(0xd3c304697f63b279cd314f92c19cdbe5e5b1631a).Unresolved_70a08231(var_b); // AMMToken::balanceOf
    ...
    (bool success, bytes memory ret1) =
        address(0xe3cba5c0a8efaedce84751af2efddcf071d311a9).Unresolved_022c0d9f(var_e); // AMM pair swap
}

Caption: Helper _attack() can only be executed when tx.origin equals address(store_a), binding the helper contract to a specific EOA, and then drives AMMToken and pair interactions.

From the cast trace:

• Before interacting with MorningStar, the helper:
  • Approves PancakeRouter to spend unlimited AMMToken and WBNB.
  • Confirms its large AMMToken balance via AMMToken::balanceOf(0x1e70...).
  • Executes swapExactTokensForTokensSupportingFeeOnTransferTokens to move AMMToken into the GPC/WBNB pair.

This confirms that:

• store_a is set to 0xB072... (since _attack() executes without reverting when tx.origin == 0xB072...).
• The helper is adversary-controlled and pre-funded with AMMToken and approvals.

Triggering the Vulnerability: Calling releaseReward with Full MSC Balance

Within the exploit transaction, helper 0x1e70... reads MorningStar’s MSC balance and calls releaseReward with that exact amount:

• MSC.balanceOf(MorningStar) = 13,329,580,007,446,108,335,195,360 MSC
• fee = 13,329,580,007,446,108,335,195,360
• burnFee = fee / 2 = 6,664,790,003,723,054,167,597,680
• profitFee = fee - burnFee = 6,664,790,003,723,054,167,597,680

The resulting on-chain effects, captured in the trace and balance diffs, are:

• MorningStar’s MSC balance goes to zero.
• The MSC/GPC pair receives exactly 6,664,790,003,723,054,167,597,680 MSC (matching the burnFee).
• The profit Gnosis Safe receives exactly 6,664,790,003,723,054,167,597,680 MSC (matching the profitFee).

AMM Unwinding and WBNB Profit Realization

After MorningStar’s MSC is partially swapped into AMMToken and partially moved to the profit address, the helper uses:

• Its large existing AMMToken holdings.
• The increased AMMToken position in the GPC/WBNB and GPC/XDK pools.

to push the AMM system through a sequence of swaps:

1. AMMToken → WBNB in the GPC/WBNB pair.
2. WBNB → AMMToken and AMMToken ↔ XDK through the GPC/XDK pool.
3. Final AMMToken → WBNB to consolidate the profit.

The trace shows:

• PancakePair::swap and AMMToken::transfer operations moving AMMToken between the MSC/GPC and GPC/WBNB pools.
• WBNB transfers generating the 205.6357 WBNB inflow and 55.8917 WBNB outflow for helper 0x1e70....
• A final WBNB::transfer from 0x1e70... to 0xB072... of 149.743967145038025112 WBNB.

This confirms the described AMM unwinding and the realized profit.

Root Cause Summary

The root cause is a protocol-level bug in MorningStar’s staking contract:

• Missing access control on releaseReward(uint256 fee), which is publicly callable by any address.
• Unbounded, caller-controlled fee parameter that is not tied to per-user or per-epoch accounting and can be set to MorningStar’s full MSC balance.
• Direct, large-scale asset movements triggered by a single call:
  • Swapping half the specified MSC into the MSC/GPC pair (changing AMM reserves and pushing value into GPC/WBNB).
  • Transferring the other half directly to the profit address.

Helper 0x1e70... and the attack contract 0x486d... simply exploit this flawed API, using AMM mechanics and pre-loaded liquidity to convert the induced imbalance into a one-shot WBNB profit.

Adversary Flow Analysis

Adversary Cluster and Roles

The analysis identifies a tightly scoped adversary cluster:

• EOA (attacker origin):
  • Address: 0xB0720D8541cD2b6fC35cCC39ec84e84383A7000b
  • Role: Sender and tx.origin of the exploit transaction, gas payer, and final WBNB recipient.
• Attack contract:
  • Address: 0x486da49a56b564B824ea140fa4a5fF74DE6CF34B
  • Role: Created by 0xB072... in the exploit transaction; its runtime execution orchestrates calls into helper 0x1e70..., MorningStar, PancakeRouter, and AMM pairs.
• Helper contract:
  • Address: 0x1e70f17d4E9dB9341AF7fc6a8FfcDCb2A52291e5
  • Role: Adversary-controlled contract with _attack() guarded by tx.origin == address(store_a); holds and routes AMMToken and WBNB balances; central executor of the AMM manipulation and releaseReward call.

This clustering is supported by:

• The _attack() tx.origin guard.
• The cast trace showing helper-driven approvals, swaps, and the final WBNB transfer to 0xB072....
• Etherscan txlists for 0xB072... and 0x1e70... indicating usage patterns consistent with attacker-specific infrastructure.

Victim and Related Contracts

Key victim-side and infrastructure contracts include:

• MorningStar staking contract:
  • Address: 0x91334D03DD9b9De8D48b50FE389337eEb759aeB1
  • Role: Holds user MSC on behalf of stakers; exposes vulnerable releaseReward function.
• MSC token:
  • Address: 0x713630359Cc9046869aD1642a7b61c23956425cC
  • Role: Underlying reward/staking token drained from MorningStar.
• AMM pairs:
  • MSC/GPC pair: 0xAaE35C003A323D291B7293618506Aa612302B7cf
  • GPC/WBNB pair: 0x12dAbFCe08eF59c24cdee6c488E05179Fb8D64D9
  • GPC/XDK pair: 0xe3cBa5C0A8efAeDce84751aF2EFDdCf071D311a9
• Gnosis Safe (profit address):
  • Address: 0x6278FA23Fbe28B9736214E03cf2030F5ee1CCaC9
  • Role: Receives half of MorningStar’s drained MSC directly from releaseReward.

Lifecycle Stages

The adversary flow can be decomposed into three lifecycle stages, all realized within the single exploit transaction but relying on pre-incident setup.

1. Helper Pre-funding and Approvals (Pre-incident)

Before block 73309656:

• Helper 0x1e70... is deployed with store_a configured to the attacker EOA 0xB072....
• It accumulates a large AMMToken/GPC position.
• It sets allowances on PancakeRouter and the relevant AMM pairs.

Evidence:

• The trace shows AMMToken::balanceOf(0x1e70...) returning 46,841,803,215,322,280,406,440,238 AMMToken.
• The helper successfully executes _attack() with tx.origin == 0xB072..., confirming the ownership binding.

2. Attack Contract Deployment and MorningStar MSC Drain

Stage: “Attack contract deployment and MorningStar MSC drain.”

Within the exploit transaction:

• 0xB072... sends a contract-creation transaction whose input is the creation bytecode of 0x486d....
• The newly deployed contract immediately calls helper 0x1e70....
• The helper:
  • Reads MSC.balanceOf(MorningStar) and obtains 13,329,580,007,446,108,335,195,360 MSC.
  • Calls MorningStar::releaseReward with this exact amount as fee.

Effects:

• MorningStar’s MSC balance goes to zero.
• Half of the MSC is swapped into AMMToken in the MSC/GPC pool, enriching GPC/WBNB liquidity.
• Half is transferred directly to the profit Gnosis Safe.

3. AMM Unwinding and WBNB Profit Realization

Stage: “AMM unwinding and WBNB profit realization.”

Using:

• The injected AMMToken resulting from MorningStar’s MSC swap.
• Its own pre-loaded AMMToken holdings and approvals.

helper 0x1e70...:

• Executes swaps across the GPC/WBNB and GPC/XDK pools to route AMMToken → WBNB → AMMToken → XDK → WBNB as needed.
• Ends with 149.743967145038025112 WBNB at 0x1e70....
• Transfers the entire WBNB balance to 0xB072....

Combined with the gas cost, this yields a net WBNB-equivalent profit of 149.743822992236583584 for the adversary.

Impact & Losses

Token-Level Losses

The primary quantified token-level losses are:

• MSC:
  • Amount lost from MorningStar: 13,329,580,007,446,108,335,195,360 MSC.
  • Split:
    • 6,664,790,003,723,054,167,597,680 MSC swapped into AMMToken in the MSC/GPC pair.
    • 6,664,790,003,723,054,167,597,680 MSC transferred to the profit Gnosis Safe.
• AMMToken (GPC-side token) from MSC/GPC pool:
  • Net loss: 71,551,581,422,663,723,226,014,917 AMMToken from the MSC/GPC pool, reflecting the AMM rebalancing that enriches the main GPC/WBNB pool.

From the balance diffs and trace:

• MorningStar’s MSC holdings, representing staker funds, are fully removed.
• AMMToken reserves are rebalanced across the MSC/GPC, GPC/WBNB, and GPC/XDK pools in a way that supports the adversary’s WBNB extraction.

Economic Impact

At the protocol level:

• MorningStar’s staking contract loses all MSC held on behalf of stakers.
• The profit Gnosis Safe receives a large MSC windfall that is not backed by legitimate rewards.

For liquidity providers:

• LPs in the GPC/WBNB and GPC/XDK pools suffer losses as the pools are pushed through unfavorable price paths, ending with 149.743822992236583584 WBNB effectively extracted to the adversary cluster.
• While per-address LP losses are not enumerated from current artifacts, the token-level deltas in MSC, AMMToken, and the adversary’s WBNB profit match the described exploit flow.

For the adversary:

• The EOA 0xB072... realizes a net gain of 149.743822992236583584 WBNB-equivalent, after accounting for gas.

References

• [1] Seed transaction metadata for 0x6c9ed4... on BSC: Collected RPC and Etherscan metadata for the exploit transaction, including block, sender, and input data.
• [2] Cast trace for 0x6c9ed4...: High-verbosity call and event trace showing MorningStar::releaseReward, helper _attack, AMM swaps, and WBNB flows.
• [3] MorningStar staking contract source (MorningStar.sol): Verified contract source for 0x91334D03DD9b9De8D48b50FE389337eEb759aeB1, including releaseReward and swapTokenForGPC.
• [4] Helper contract decompiled source (0x1e70...): Heimdall decompiled Solidity for the helper contract, including _attack and its tx.origin guard tying it to 0xB072....