This is a lower bound: only assets with reliable historical USD prices are counted, so the actual loss may be higher.
0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a100xed56784bc8f2c036f6b0d8e04cb83c253e4a6a94BSC0x0557713d02a15a69dea5dd4116047e50f521c1b1BSCBambooAI on BSC exposed a public, permissionless reserve-manipulation path in its token transfer logic. Before seed transaction 0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a10 in block 29668036, trading was already open, sale was already initialized, and the Pancake BAMBOO/WBNB pair 0x0557713d02a15a69dea5dd4116047e50f521c1b1 held live liquidity. Under that public pre-state, any BAMBOO holder could trigger BambooAI’s hidden updatePool path, drain 1% of each qualifying transfer from the LP into a hard-coded sink, force the pair to sync(), and then sell BAMBOO into the manipulated pool for WBNB. The seed attacker used helper contract 0xcdf0eb202cfd1f502f3fdca9006a4b5729aadebc and realized 11.913501282999043656 WBNB before gas; after subtracting 0.327148885046735555 BNB-equivalent gas paid by the controller EOA, the net delta was 11.586352397952308101 BNB-equivalent. No non-monetary success predicate was needed.
The root cause is BambooAI’s private updatePool(uint256 amount) routine, which directly edits the BAMBOO balance recorded for the LP and immediately calls sync() from an ordinary _transfer path. That breaks the core AMM invariant that reserve changes must come only from legitimate swap or liquidity flows that are explicitly accounted for by token movement and pair events.
BambooAI (0xed56784bc8f2c036f6b0d8e04cb83c253e4a6a94) is a fee-on-transfer token deployed on BSC with a hard-coded Pancake router at 0x10ED43C718714eb63d5aA57B78B54704E256024E. In its constructor it creates and stores the BAMBOO/WBNB pair 0x0557713d02a15a69dea5dd4116047e50f521c1b1, so LP interactions are first-class protocol state rather than external configuration.
The contract also stores an immutable variable named Factory, but it is not the Pancake factory. The verified source assigns Factory = address(routerHash), and routerHash decodes to 0xf1d8f914dc5693de077c4dc10005703c8389ab43. Validator-side chain reads confirm that this hidden sink is a transparent proxy whose owner() at block 29668035 is 0x9B71B4Dc9E9DCeFAF0e291Cf2DC5135A862A463d, and whose EIP-1967 admin slot points to 0xc38e0c775fbceba0eb7ab9b71aa67fea0bd04675.
From the same pre-state, the token had tradingOpen=true and a non-zero sale, which is the exact condition needed to arm the hidden reserve mutation. The seed metadata and verified source therefore establish the public ACT setup completely: live trading, live LP liquidity, and an ERC20 transfer path that any unprivileged holder can invoke.
Verified BambooAI constructor snippet:
constructor() {
IUniswapV2Router02 _uniswapV2Router = IUniswapV2Router02(
0x10ED43C718714eb63d5aA57B78B54704E256024E
);
uniswapPair = IUniswapV2Factory(_uniswapV2Router.factory()).createPair(
address(this),
_uniswapV2Router.WETH()
);
uniswapV2Router = _uniswapV2Router;
_allowances[address(this)][address(uniswapV2Router)] = _totalSupply;
Factory = address(routerHash);
}
The vulnerability is a deliberately hidden LP reserve mutation embedded inside BambooAI’s standard transfer path. Once sale > 0, every transfer from a sender that is not marked as a market pair executes updatePool(amount) before the token completes its ordinary balance move. updatePool checks only that amount > 10000 and that the pair currently holds more BAMBOO than amount, then computes fA = amount / 100, subtracts fA from _balances[uniswapPair], credits _balances[Factory], and calls IUniswapV2Pair(uniswapPair).sync(). This means the pair’s BAMBOO reserve can be reduced without any corresponding WBNB outflow or legitimate swap input. The balance mutation is invisible as a BAMBOO Transfer from the pair to the hidden sink, so on-chain observers see the pair resynced around a silently reduced reserve. An attacker only needs BAMBOO inventory and the ability to cause repeated transfers between addresses they control, then they can sell BAMBOO into the manipulated pair for excess WBNB. That is a direct AMM reserve-integrity violation, not a pricing side effect or privileged admin action.
Verified BambooAI transfer path and breakpoint:
function _transfer(
address sender,
address recipient,
uint256 amount
) private returns (bool) {
...
if (!isMarketPair[sender] && sale > 0) updatePool(amount);
...
}
function updatePool(uint256 amount) private {
if (amount > 10000 && balanceOf(uniswapPair) > amount) {
uint256 fA = amount / 100;
_balances[uniswapPair] = _balances[uniswapPair].sub(fA);
_balances[Factory] = _balances[Factory].add(fA);
try IUniswapV2Pair(uniswapPair).sync() {} catch {}
}
}
The ideal invariant is straightforward: the Pancake BAMBOO/WBNB pair reserve should change only through explicit, auditable liquidity or swap flows in which the pair’s balances and emitted accounting events correspond to actual value transfer. BambooAI breaks that invariant inside its own token accounting.
After trading is enabled, BambooAI treats any non-pair sender as eligible to run updatePool. The attacker therefore does not need ownership, presale access, whitelisting, or any private integration with the hidden sink. They only need to hold BAMBOO and choose a transfer amount above 10000 raw units while the pair still has more BAMBOO than that amount. Every qualifying transfer removes amount / 100 BAMBOO directly from the pair balance, credits the hidden sink 0xf1d8f914dc5693de077c4dc10005703c8389ab43, and forces the pair to resynchronize to the lower BAMBOO reserve.
Because sync() updates the pair reserves to the already-mutated balances, the AMM state begins to price BAMBOO as scarcer than it should be. The attacker can loop ordinary transfers between controlled addresses or helper contracts to repeat the hidden drain, then dispose of BAMBOO into the now-mispriced pair. No secret, no privileged callback, and no attacker-specific bytecode is required; the exploitability is in the victim token’s public _transfer path itself.
Representative seed trace excerpt from the recorded on-chain execution shows the attack closing with a BAMBOO sale into the pair and a large WBNB payout to the attacker helper:
0x10ED43...024E::swapExactTokensForTokensSupportingFeeOnTransferTokens(
135744542131496799520, 0,
[0xED56784bC8F2C036f6b0D8E04Cb83C253e4a6A94, 0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c],
0xCdf0eB202cfD1f502F3fdca9006A4b5729AadEBC, 1688472389
)
BambooAI::transferFrom(0xCdf0..., PancakePair, 135744542131496799520)
PancakePair::swap(1218773288555205031879, 0, 0xCdf0..., 0x)
WBNB::transfer(0xCdf0..., 1218773288555205031879)
The collector balance diff independently confirms that the pair’s BAMBOO balance fell from 137115699122724039920 to 135769155158116274841, a loss of 1346543964607765079 raw BAMBOO units, while the controller EOA paid 327148885046735555 wei in gas. Combined with the receipt-backed WBNB inflow into the attacker helper, the exploit path and profit predicate are deterministic.
The seed adversary cluster is:
0x00703face6621bd207d3b4ac9867058190c0bb090xcdf0eb202cfd1f502f3fdca9006a4b5729aadebcThe lifecycle observed on-chain is:
0x2f7defca7f7a014f740399cceee6382e01c2929a95bf35f4a434765a85e52272 was sent by 0x00703face6621bd207d3b4ac9867058190c0bb09 and created the helper later used in the exploit.0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a10 in block 29668036 called the helper, which repeatedly exercised BambooAI transfer paths that reached updatePool, reduced LP BAMBOO reserves, and then exited through the Pancake pair into WBNB.0x5abde3804002e3625dddb48407204d107eae65069df938489737eadcd79f282f at the same block was sent by a different EOA, 0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366, to a different helper, 0x10f30e05a877e48503387391075dd693836d9701. That corroborates the ACT classification: the strategy was not unique to one attacker artifact.The root-cause exploit conditions are all satisfied in the seed incident:
tradingOpen was already true.sale was already non-zero.10000 raw units.Additional related transactions captured in root_cause.json are 0xba65359dd84a1bbf355fe42cb13b724d56ec5302234f9899282adbd3c4a71fc2 and the same-block replay 0x5abde3804002e3625dddb48407204d107eae65069df938489737eadcd79f282f.
The exploit depletes both sides of the LP:
"11913501282999043656" raw wei, with decimal = 18"1346543964607765079" raw units, with decimal = 9The impact is not limited to mark-to-market mispricing. BambooAI permanently siphons BAMBOO inventory from the LP into the hidden sink while also enabling the attacker to cash out WBNB against the manipulated reserve state. The affected public components are BambooAI itself and the Pancake BAMBOO/WBNB pair.
/workspace/session/artifacts/collector/seed/56/0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a10/metadata.json/workspace/session/artifacts/collector/seed/56/0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a10/balance_diff.json/workspace/session/artifacts/collector/seed/56/0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a10/trace.cast.log/workspace/session/artifacts/collector/seed/56/0xed56784bc8f2c036f6b0d8e04cb83c253e4a6a94/src/Contract.solhttps://bscscan.com/tx/0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a10https://bscscan.com/tx/0x5abde3804002e3625dddb48407204d107eae65069df938489737eadcd79f282fhttps://bscscan.com/address/0xed56784bc8f2c036f6b0d8e04cb83c253e4a6a94https://bscscan.com/address/0x0557713d02a15a69dea5dd4116047e50f521c1b1