d3xat Treasury Drain
Exploit Transactions
0x26bcefc152d8cd49f4bb13a9f8a6846be887d7075bc81fa07aa8c0019bd6591fVictim Addresses
0xb8ad82c4771daa852ddf00b70ba4be57d22edd99BSC0x2cc8b879e3663d8126fe15dadaaa6ca8d964bbbeBSCLoss Breakdown
Similar Incidents
Eterna Buyback Treasury Drain
38%BCT Referral Treasury Drain
38%GGGTOKEN Treasury Drain via receive()
38%Matmo MAMO Treasury Drain
38%CCV Treasury Rebalancer Attack
37%EAC Treasury Buy Was Public
37%Root Cause Analysis
d3xat Treasury Drain
1. Incident Overview TL;DR
On BSC block 57780985, transaction 0x26bcefc152d8cd49f4bb13a9f8a6846be887d7075bc81fa07aa8c0019bd6591f used a Pancake V3 flash loan to drain the d3xat exchange treasury. The attacker borrowed USDT, bought d3xat from the protocol exchange at the treasury quote, pushed the Pancake d3xat/USDT spot price upward with repeated market buys, redeemed small d3xat lots back into the exchange at the now-inflated quote, liquidated the remaining seller inventories through the AMM, and repaid the flash loan with profit. The measurable treasury loss was 239832087664667062923384 USDT base units.
The root cause is that the exchange pays a treasury-funded linear quote derived from d3xat.price(), while price() reads a manipulable Pancake spot quote through getAmountsOut(1e18, [d3xat, USDT]). That lets a flash-loan adversary move the AMM spot for one block and redeem d3xat against the treasury at a price detached from executable liquidity.
2. Key Background
The protocol component that loses funds is the exchange proxy at 0xb8ad82c4771DAa852DdF00b70Ba4bE57D22eDD99. It holds a large USDT treasury and exposes a generic exchange(address,address,uint256) entrypoint that services both USDT-to-d3xat buys and d3xat-to-USDT redemptions.
The d3xat token proxy at 0x2Cc8B879E3663d8126fe15daDaaA6Ca8D964BbBE is paired against USDT in Pancake pair 0xaec58FBd7Ed8008A3742f6d4FFAA9F4B0ECbc30e. The execution trace shows that the token pricing path reaches PancakeRouter 0x10ED43C718714eb63d5aA57B78B54704E256024E::getAmountsOut(1e18, [d3xat, USDT]), so the exchange is effectively importing a single-block AMM reserve ratio as its treasury price oracle.
The token also charges a sell fee on transfers into the pair. The trace and replay preserve that behavior: part of each final seller liquidation is diverted to fee sink 0x13342140A62Cb51C052b5a70eb186f40a1725eBf, and only the remainder reaches the pair.
3. Vulnerability Analysis & Root Cause Summary
This is a treasury-pricing attack. The unsafe invariant is that a treasury redemption should never pay more USDT than a manipulation-resistant oracle or executable post-fee liquidity can justify. The exchange violates that invariant by valuing d3xat redemptions with a flat, linear quote derived from the current Pancake spot price. Because the quote does not model slippage, reserve impact, or time weighting, a flash-loan adversary can briefly raise the AMM price and immediately redeem into the treasury. The trace shows the same quote path serving both the initial treasury buys and the later d3xat-to-USDT redemptions. The exploit is therefore not a bug in flash liquidity or AMM routing; it is the protocol’s direct dependence on a manipulable spot quote for treasury payouts.
4. Detailed Root Cause Analysis
The attack starts from a fully permissionless pre-state. The attacker EOA 0x4b63c0cf524f71847ea05b59f3077a224d922e8d had already deployed orchestrator 0x3b3e1edeb726b52d5de79cf8dd8b84995d9aa27c in transaction 0x36811c78469e63316f042c105dfc74a00a3df848efac12413df48ecad56cf2c6. The constructor analysis for that deployment shows two helper implementations created in-constructor at 0x4beefd0f0064cb8faf045b989976a453ae983da6 and 0x191d13f9ae8833577eb182e9cfb33015b52a3ce4, matching the later helper fanout used in the exploit.
In the seed transaction, the attacker borrows 20000000000000000000000000 USDT from Pancake V3 flash pool 0x92b7807bF19b7DDdf89b706143896d05228f3121. The same transaction then performs two treasury buys through the exchange. The execution trace shows the treasury quote output 9367736678314677930664 d3xat for each buy, which matches the root-cause claim that the exchange is using a flat quote rather than market-impact-aware execution.
After seeding seller inventories, the attacker performs twenty-five AMM buys to move the d3xat/USDT spot price upward. This matters because the exchange redemption path later re-reads the token price from PancakeRouter spot state. The critical trace segment shows the redemption flow calling the exchange with 29740606898687781957 d3xat, then reaching PancakeRouter::getAmountsOut(1000000000000000000, [d3xat, USDT]), and then paying 11831071167064912423253 USDT from the exchange treasury for that tiny d3xat lot.
exchange(d3xat, usdt, 29740606898687781957)
-> PancakeRouter::getAmountsOut(1e18, [d3xat, usdt])
-> BEP20USDT::transfer(..., 11831071167064912423253)
That redemption is repeated nineteen times. The root-cause analysis correctly characterizes the exploit breakpoint: treasury payout math is directly parameterized by a manipulable AMM spot quote. The final reverted twentieth redemption is consistent with treasury depletion rather than any pricing safeguard. The balance diff confirms the economic result: the exchange treasury lost 239832087664667062923384 USDT base units, the flash pool ended 2000000000000000000000 USDT richer from fees, and the attacker EOA realized a positive native-value delta after gas.
5. Adversary Flow Analysis
The adversary flow is end-to-end complete and supported by concrete artifacts:
1. Deploy orchestrator and helper implementations.
2. Borrow 20,000,000 USDT from Pancake V3 flash pool.
3. Buy d3xat twice from the exchange treasury at the flat quote.
4. Pump Pancake d3xat/USDT spot with 25 market buys.
5. Redeem small d3xat chunks 19 times into the exchange at the manipulated quote.
6. Sell remaining seller inventories through Pancake.
7. Repay flash principal plus 2,000 USDT fee and keep the remainder.
The seed transaction metadata identifies the caller and target, and the trace shows the exact redemption loop and flash-loan repayment. The constructor analysis ties the helper structure to the attacker deployment. This matches the ACT framing: no privileged keys, private admin access, or attacker-only off-chain artifacts are required. A new adversary can deploy fresh helpers, source public flash liquidity, and reproduce the same economic path from public chain state.
6. Impact & Losses
The direct loss is borne by the d3xat exchange treasury. The balance diff records a USDT decrease from 243209105515353882610083 to 3377017850686819686699 for exchange address 0xb8ad82c4771DAa852DdF00b70Ba4bE57D22eDD99, a net loss of 239832087664667062923384 base units.
Additional side effects are consistent with the exploit mechanics rather than the root cause itself: the fee sink accumulates proceeds from the token sell-fee path, the Pancake pair absorbs the final liquidation flow, and the flash pool receives the fixed fee payment. None of those components are the treasury-loss source; the protocol loss comes from overpaying redemptions against a manipulable quote.
7. References
- Seed exploit transaction:
0x26bcefc152d8cd49f4bb13a9f8a6846be887d7075bc81fa07aa8c0019bd6591f - Attacker deployment transaction:
0x36811c78469e63316f042c105dfc74a00a3df848efac12413df48ecad56cf2c6 - Exchange proxy:
0xb8ad82c4771DAa852DdF00b70Ba4bE57D22eDD99 - Exchange implementation artifact:
0x89a0af274e6244f781a50d632b222231ef7655eb - d3xat token proxy:
0x2Cc8B879E3663d8126fe15daDaaA6Ca8D964BbBE - d3xat implementation artifact:
0x13b5ca6642d9c2309b4c34f8b591e35b629458fc - Pancake router:
0x10ED43C718714eb63d5aA57B78B54704E256024E - Pancake pair:
0xaec58FBd7Ed8008A3742f6d4FFAA9F4B0ECbc30e - Flash pool:
0x92b7807bF19b7DDdf89b706143896d05228f3121 - Supporting evidence: seed tx metadata, full seed trace, balance diff, constructor analysis, and validator replay log under
/workspace/session/artifacts/validator/forge-test.log