MineSTM LP-burn MEV drains USDT from STM liquidity

1. Incident Overview TL;DR

On BSC (chainid 56), attacker EOA 0x40a82dfdbf01630ea87a0372cf95fa8636fcad89 used an orchestrator contract 0x88c17622d33b327268924e9f90a9e475a244e3ab and helper contract 0xb7d0a1adafa3e9e8d8e244c20b6277bee17a09b6 (“MineSTM”) to execute a two‑transaction MEV arbitrage against the USDT/STM PancakeSwap V2 pair 0x2e45aef311706e12d48552d0daa8d9b8fb764b1c. In profit transaction 0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1, the orchestrator took a 50,000 USDT flash loan from Pancake V3 pool 0x92b7807bf19b7dddf89b706143896d05228f3121, swapped it into STMERC20 0xbd0df7d2383b1ac64afeafdd298e640efd9864e0 against the USDT/STM pool, and then used MineSTM to burn almost all of its LP tokens, withdrawing nearly all USDT from the pair. After repaying 50,005 USDT to the flash-loan pool, the orchestrator sent the remaining 13,826,184.519087177588217 USDT to the attacker EOA.

The root cause is an ACT-style MEV opportunity created by the combination of (a) a large adversary-controlled LP position in the USDT/STM pool, (b) STMERC20’s 5% fee-on-transfer mechanics on transfers involving the USDT pair, and (c) permissionless flash-loan and removeLiquidity sequencing on a mispriced AMM. Constant-product accounting and STMERC20’s transfer logic behave as designed; however, when a single LP can temporarily reprice the pool with a flash-loan swap and immediately burn almost all liquidity, remaining LPs suffer a concentrated loss of 13,826,184.519087177588217 USDT while the adversary captures the corresponding profit.

2. Key Background

STMERC20 (0xbd0df7d2383b1ac64afeafdd298e640efd9864e0) is a fee-on-transfer token whose _transfer override charges a 5% fee on transfers involving a configured usdtPair (the USDT/STM Pancake pair). For such transfers, 1% of the amount is sent each to nodeAddress and lpAddress, 3% to fundAddress, and the remaining 95% to the recipient; transfers that do not involve the pair behave like a standard ERC20. The relevant fragment from the verified source illustrates this behavior (STMERC20.sol, 0xbd0d…):

function _transfer(address from, address to, uint256 amount) internal override {
    address pair_ = usdtPair;
    if (from != pair_ && to != pair_) {
        super._transfer(from, to, amount);
        return;
    }
    _subSenderBalance(from, amount);
    unchecked {
        uint256 feeAmount = amount / 100;
        _addReceiverBalance(from, nodeAddress, feeAmount);
        _addReceiverBalance(from, lpAddress, feeAmount);
        _addReceiverBalance(from, fundAddress, 3 * feeAmount);
        _addReceiverBalance(from, to, amount - 5 * feeAmount);
    }
}

The USDT/STM pair 0x2e45aef311706e12d48552d0daa8d9b8fb764b1c is a PancakeSwap V2-style constant-product AMM LP token: it tracks reserves, totalSupply, and exposes standard swap, mint, burn, sync, and getReserves operations; liquidity removal is implemented via transferring LP tokens to the pair followed by burn(), which sends the proportional amounts of USDT and STMERC20 to the recipient. The pair has no privileged paths in the exercised code; all relevant calls are permissionless.

Pancake V3 pool 0x92b7807bf19b7dddf89b706143896d05228f3121 exposes a flash function that allows any caller to borrow USDT for the duration of a single transaction, provided the caller repays principal plus a fixed fee (5 USDT in this incident) before the callback returns. The attacker’s orchestrator hard-wires addresses for USDT, STMERC20, the USDT/STM pair, Pancake V3 pool, router 0x0ff0eBC65deEe10ba34fd81AfB6b95527be46702, MineSTM, and the EOA in constructor storage, enabling a single call to coordinate flash loan, swap, LP burns, and repayments.

MineSTM (0xb7d0a1adafa3e9e8d8e244c20b6277bee17a09b6) is an adversary-owned helper that holds a very large LP position in the USDT/STM pair before the incident block and exposes two key functions observed in traces: updateAllowance() sets unlimited USDT, STMERC20, and LP allowances from MineSTM to the router, and sell(uint256) pulls STMERC20 from the orchestrator and then calls removeLiquidity to burn LP tokens and send the underlying USDT/STMERC20 to the orchestrator. These functions operate solely via standard ERC20 and router calls, with no privileged access to the pair or token.

3. Vulnerability Analysis & Root Cause Summary

This incident falls under the “MEV” root cause category. The vulnerability is economic rather than a code defect: an adversary that controls a very large share of LP tokens in an AMM pool can use flash-loan-funded swaps to skew the pool’s price, then immediately remove liquidity to withdraw more USDT value than their economic contribution warrants, leaving residual LPs with an under-collateralized position.

The key economic invariant for LP fairness is: after any sequence of swaps and liquidity operations, the aggregate USDT value of all LP holders’ claims should not fall below the pre-sequence value minus (i) net USDT actually transferred out of the pool to traders and (ii) explicit protocol fees (such as the flash-loan fee). In particular, burning a given fraction of LP tokens should entitle the burner only to the same fraction of the pool’s post-trade reserves, valued at prevailing market prices.

In this incident, the invariant is broken at the first MineSTM::sell(81) call in the profit transaction, where MineSTM burns ~92% of LP supply after the flash-loan swap has pushed the on-chain STM price away from its fundamental value. Because the constant-product pool uses its own skewed reserves as the price oracle, the burn returns a disproportionately large amount of USDT to the adversary, reducing the residual LP token supply’s claim on USDT below what the fairness invariant allows, even though all on-chain arithmetic and STMERC20 fee logic execute as written.

4. Detailed Root Cause Analysis

4.1 Pre-incident state

Immediately before block 39,383,150 (state σ_B on BSC), orchestrator 0x88c1… has been deployed by attacker EOA 0x40a8… in tx 0x410495e2026f2d0e2a8fbb321ccf35b30940ce172ffc57be3745c0a6aabb4d4f. Debug trace for this deployment shows constructor writes wiring in the addresses of USDT (0x55d3…), BUSD, WBNB, STMERC20 (0xbd0d…), the inner router 0x0ff0…, the USDT/STM pair 0x2e45…, MineSTM (0xb7d0…), and the attacker EOA as immutable configuration.

Seed balance_diff.json for the profit tx shows that prior to 0x849e… the adversary-related cluster (EOA + orchestrator + MineSTM) holds exactly 75,514,483,581,767,362,353 base units of USDT (75.514483581767362353 USDT), all in the EOA, and MineSTM holds a dominant share of the USDT/STM LP tokens. The relevant USDT deltas are:

{
  "holder": "0x2e45aef311706e12d48552d0daa8d9b8fb764b1c",
  "before": "14472243761065956356193",
  "after": "641059241978778767976",
  "delta": "-13831184519087177588217"
},
{
  "holder": "0x40a82dfdbf01630ea87a0372cf95fa8636fcad89",
  "before": "75514483581767362353",
  "after": "13901699002668944950570",
  "delta": "13826184519087177588217"
}

These numbers show a net 13,831,184.519087177588217 USDT flowing out of the pair and 13,826,184.519087177588217 USDT accruing to the attacker EOA, with the difference (5 USDT) paid as the flash-loan fee to the Pancake V3 pool.

4.2 Flash-loan and mispricing

In the profit transaction 0x849e…, the attacker calls the orchestrator’s function with selector 0x1031d4ef, passing parameters that instruct it to borrow 50,000 USDT from Pancake V3 pool 0x92b7…. The pool’s flash function transfers 50,000,000,000,000,000,000,000 USDT (50,000 USDT with 18 decimals) to the orchestrator and then invokes the flash callback.

Within the callback, the orchestrator:

• Calls pair.sync() on 0x2e45… to align reserves with current token balances.
• Uses router 0x0ff0… to execute swapExactTokensForTokensSupportingFeeOnTransferTokens, swapping the entire 50,000 USDT into STMERC20 against the USDT/STM pair.

Trace logs show 50,000 USDT moving from the orchestrator to the pair and 149 STMERC20 moving from the pair to the orchestrator, leaving the pair with approximately 64,472,243,761,065,956,356,193 USDT and 44 STMERC20 before LP burns. Because STMERC20 charges a 5% fee on transfers involving the pair, the effective STM input/output is computed from balances rather than raw transfer amounts, but no arithmetic errors occur: the pool simply ends up with a highly skewed USDT/STM ratio and an inflated on-chain STM price.

4.3 Breakpoint: first MineSTM::sell and LP burn

After the swap, the orchestrator invokes MineSTM’s sell(81) function. From traces and decompiled logic, sell(81):

• Calls STMERC20.transferFrom(0x88c1…, 0xb7d0…, 81) to move 81 STMERC20 from the orchestrator to MineSTM.
• Computes a liquidity amount based on MineSTM’s LP balance and the current totalSupply of the USDT/STM LP token.
• Calls PancakeRouter.removeLiquidity(USDT, STMERC20, 707,065,205,884, 0, 0, 0x88c1…, deadline).

The pair burns 707,065,205,884 LP tokens—around 92% of the then-current total supply of 768,169,606,393 LP tokens—and sends 59,343,769,825,487,515,309,058 USDT plus 40 STMERC20 to the orchestrator. This is the first concrete breakpoint where the LP fairness invariant is violated: given the preceding mispricing swap, burning 92% of LP supply entitles the adversary to a USDT amount that implicitly prices STM at the skewed AMM rate, extracting far more USDT value than would be possible under a fair-market price and leaving residual LPs with an under-valued claim on USDT.

4.4 Second MineSTM::sell and residual drain

The orchestrator then calls MineSTM::sell(7), performing a second, smaller LP burn. This call:

• Transfers 7 STMERC20 from the orchestrator to MineSTM.
• Burns an additional 61,104,400,509 LP tokens (the majority of the remaining LP supply).
• Causes the pair to send 4,487,414,693,599,662,279,159 USDT and 3 STMERC20 to the orchestrator.

After the two burns, trace and decompile evidence show final pair reserves of 641,059,241,978,778,767,976 USDT and 1 STMERC20, with a tiny residual LP supply. Aggregating the two burns, 63,831,184,519,087,177,588,217 USDT has flowed from the pair to the orchestrator, whereas only 50,000,000,000,000,000,000,000 USDT flowed from the orchestrator into the pair during the earlier swap. The net USDT outflow from the pair is therefore 13,831,184,519,087,177,588,217 USDT, exactly matching the seed balance_diff.json.

4.5 Flash-loan repayment and profit realization

With the LP burns complete, the orchestrator repays the flash loan by transferring 50,005,000,000,000,000,000,000 USDT (50,000 USDT principal plus 5 USDT fee) back to the Pancake V3 pool. It then transfers the remaining 13,826,184,519,087,177,588,217 USDT to the attacker EOA 0x40a8…. The orchestrator and MineSTM end the transaction with effectively zero USDT.

The adversary-related cluster’s portfolio change is fully captured in the USDT deltas for the EOA: from 75.514483581767362353 USDT to 13,901,699.002668944950570 USDT, a net gain of 13,826,184.519087177588217 USDT. BNB gas costs (approximately 0.001195428 BNB) are orders of magnitude smaller and do not change the positive profit conclusion.

4.6 Why this is an ACT-style opportunity

All operations used in the sequence are permissionless:

• The orchestrator is deployed by an unprivileged EOA via a normal contract-creation tx.
• The Pancake V3 flash loan is available to any caller that can repay principal plus fee within the transaction.
• Swaps and removeLiquidity/burn operations on the USDT/STM pair use standard router and pair functions callable by any address.
• MineSTM holds LP tokens and routes outputs but does not exercise any privileged control over the pair or token; any adversary could replicate the strategy by accumulating a similar LP position (or deploying their own helper contract), performing the same flash-loan swap and timed LP burns.

Under the adversary model, different unprivileged clusters could reproduce the strategy by acquiring sufficient LP tokens and running similar orchestrator logic. The opportunity therefore satisfies the definition of an Anyone-Can-Take (ACT) MEV opportunity rather than relying on private keys, governance, or admin rights.

5. Adversary Flow Analysis

The end-to-end adversary flow consists of two adversary-crafted transactions on BSC:

• Stage 1 – Orchestrator deployment

  • Tx: 0x410495e2026f2d0e2a8fbb321ccf35b30940ce172ffc57be3745c0a6aabb4d4f (block 39,383,108).
  • Actor: EOA 0x40a8… deploys orchestrator 0x88c1….
  • Effect: Constructor stores the addresses of USDT, BUSD, WBNB, STMERC20, router 0x0ff0…, USDT/STM pair 0x2e45…, MineSTM 0xb7d0…, and the EOA itself, creating a reusable MEV executor.

• Stage 2 – Flash-loan, swap, LP burns, and profit realization

  • Tx: 0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1 (block 39,383,150).
  • Steps inside the tx (from trace.cast.log and debug traces):
    1. Orchestrator calls Pancake V3 pool 0x92b7… flash to borrow 50,000 USDT.
    2. In the flash callback, orchestrator syncs the USDT/STM pair and swaps 50,000 USDT into STMERC20 via router 0x0ff0… with swapExactTokensForTokensSupportingFeeOnTransferTokens.
    3. Orchestrator calls MineSTM::sell(81), causing removal of 707,065,205,884 LP tokens (~92% of supply) and withdrawal of 59,343,769,825,487,515,309,058 USDT and 40 STMERC20 to the orchestrator.
    4. Orchestrator calls MineSTM::sell(7), burning most of the remaining LP supply and withdrawing a further 4,487,414,693,599,662,279,159 USDT and 3 STMERC20.
    5. Orchestrator repays 50,005 USDT to the flash-loan pool (principal plus 5 USDT fee).
    6. Orchestrator transfers the remaining 13,826,184.519087177588217 USDT to EOA 0x40a8….

No external victim transaction or privileged call is required; the entire opportunity is realized within the attacker’s own transaction sequence using public contracts.

6. Impact & Losses

USDT/STM LPs in pair 0x2e45… collectively lose 13,826,184.519087177588217 USDT of value to the adversary-related cluster over the course of tx 0x849e…. This figure is net of the 5 USDT flash-loan fee, which is paid from the drained USDT and accrues to the Pancake V3 pool 0x92b7….

There is no evidence of protocol insolvency or broader systemic impact beyond this pool. The loss is concentrated on LPs providing liquidity to the specific USDT/STM pair: their residual LP tokens represent claims on only 641,059,241,978,778,767,976 USDT and 1 STMERC20 after the burns, compared to significantly larger pre-incident reserves implied by the balance and reserve changes.

7. References

• Seed incident specification: raw.json (BSC tx 0x849ed7f6…, chainid 56).
• Seed transaction metadata, trace, and balance diff for 0x849e…:
  • artifacts/root_cause/seed/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/metadata.json
  • artifacts/root_cause/seed/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/trace.cast.log
  • artifacts/root_cause/seed/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/balance_diff.json
• Orchestrator deployment trace (prestate tracer) for 0x4104…:
  • artifacts/root_cause/data_collector/iter_2/tx/56/0x410495e2026f2d0e2a8fbb321ccf35b30940ce172ffc57be3745c0a6aabb4d4f/debug_traceTransaction_prestateTracer.json
• Profit transaction detailed trace (prestate tracer) for 0x849e…:
  • artifacts/root_cause/data_collector/iter_2/tx/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/debug_traceTransaction_prestateTracer.json
• STMERC20 token verified source (fee-on-transfer logic):
  • artifacts/root_cause/seed/56/0xbd0df7d2383b1ac64afeafdd298e640efd9864e0/src/STMERC20.sol
• Decompiles and address txlists used for clustering and contract roles:
  • artifacts/root_cause/data_collector/iter_1/contract/56/0x2e45aef311706e12d48552d0daa8d9b8fb764b1c/decompile
  • artifacts/root_cause/data_collector/iter_1/contract/56/0x88c17622d33b327268924e9f90a9e475a244e3ab/decompile
  • artifacts/root_cause/data_collector/iter_2/address/56/0x40a82dfdbf01630ea87a0372cf95fa8636fcad89/normal_txs_39380000_39386000.json
  • artifacts/root_cause/data_collector/iter_2/address/56/0x92b7807bf19b7dddf89b706143896d05228f3121/normal_txs_39382000_39384000.json
  • artifacts/root_cause/data_collector/iter_2/address/56/0xb7d0a1adafa3e9e8d8e244c20b6277bee17a09b6/normal_txs_39382000_39384000.json