Calculated from recorded token losses using historical USD prices at the incident time.
0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b10x2e45aef311706e12d48552d0daa8d9b8fb764b1cBSCOn BSC (chainid 56), attacker EOA 0x40a82dfdbf01630ea87a0372cf95fa8636fcad89 used an orchestrator contract 0x88c17622d33b327268924e9f90a9e475a244e3ab and helper contract 0xb7d0a1adafa3e9e8d8e244c20b6277bee17a09b6 (“MineSTM”) to execute a two‑transaction MEV arbitrage against the USDT/STM PancakeSwap V2 pair 0x2e45aef311706e12d48552d0daa8d9b8fb764b1c. In profit transaction 0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1, the orchestrator took a 50,000 USDT flash loan from Pancake V3 pool 0x92b7807bf19b7dddf89b706143896d05228f3121, swapped it into STMERC20 0xbd0df7d2383b1ac64afeafdd298e640efd9864e0 against the USDT/STM pool, and then used MineSTM to burn almost all of its LP tokens, withdrawing nearly all USDT from the pair. After repaying 50,005 USDT to the flash-loan pool, the orchestrator sent the remaining 13,826,184.519087177588217 USDT to the attacker EOA.
The root cause is an ACT-style MEV opportunity created by the combination of (a) a large adversary-controlled LP position in the USDT/STM pool, (b) STMERC20’s 5% fee-on-transfer mechanics on transfers involving the USDT pair, and (c) permissionless flash-loan and removeLiquidity sequencing on a mispriced AMM. Constant-product accounting and STMERC20’s transfer logic behave as designed; however, when a single LP can temporarily reprice the pool with a flash-loan swap and immediately burn almost all liquidity, remaining LPs suffer a concentrated loss of 13,826,184.519087177588217 USDT while the adversary captures the corresponding profit.
STMERC20 (0xbd0df7d2383b1ac64afeafdd298e640efd9864e0) is a fee-on-transfer token whose _transfer override charges a 5% fee on transfers involving a configured (the USDT/STM Pancake pair). For such transfers, 1% of the amount is sent each to and , 3% to , and the remaining 95% to the recipient; transfers that do not involve the pair behave like a standard ERC20. The relevant fragment from the verified source illustrates this behavior (STMERC20.sol, 0xbd0d…):
usdtPairnodeAddresslpAddressfundAddressfunction _transfer(address from, address to, uint256 amount) internal override {
address pair_ = usdtPair;
if (from != pair_ && to != pair_) {
super._transfer(from, to, amount);
return;
}
_subSenderBalance(from, amount);
unchecked {
uint256 feeAmount = amount / 100;
_addReceiverBalance(from, nodeAddress, feeAmount);
_addReceiverBalance(from, lpAddress, feeAmount);
_addReceiverBalance(from, fundAddress, 3 * feeAmount);
_addReceiverBalance(from, to, amount - 5 * feeAmount);
}
}
The USDT/STM pair 0x2e45aef311706e12d48552d0daa8d9b8fb764b1c is a PancakeSwap V2-style constant-product AMM LP token: it tracks reserves, totalSupply, and exposes standard swap, mint, burn, sync, and getReserves operations; liquidity removal is implemented via transferring LP tokens to the pair followed by burn(), which sends the proportional amounts of USDT and STMERC20 to the recipient. The pair has no privileged paths in the exercised code; all relevant calls are permissionless.
Pancake V3 pool 0x92b7807bf19b7dddf89b706143896d05228f3121 exposes a flash function that allows any caller to borrow USDT for the duration of a single transaction, provided the caller repays principal plus a fixed fee (5 USDT in this incident) before the callback returns. The attacker’s orchestrator hard-wires addresses for USDT, STMERC20, the USDT/STM pair, Pancake V3 pool, router 0x0ff0eBC65deEe10ba34fd81AfB6b95527be46702, MineSTM, and the EOA in constructor storage, enabling a single call to coordinate flash loan, swap, LP burns, and repayments.
MineSTM (0xb7d0a1adafa3e9e8d8e244c20b6277bee17a09b6) is an adversary-owned helper that holds a very large LP position in the USDT/STM pair before the incident block and exposes two key functions observed in traces: updateAllowance() sets unlimited USDT, STMERC20, and LP allowances from MineSTM to the router, and sell(uint256) pulls STMERC20 from the orchestrator and then calls removeLiquidity to burn LP tokens and send the underlying USDT/STMERC20 to the orchestrator. These functions operate solely via standard ERC20 and router calls, with no privileged access to the pair or token.
This incident falls under the “MEV” root cause category. The vulnerability is economic rather than a code defect: an adversary that controls a very large share of LP tokens in an AMM pool can use flash-loan-funded swaps to skew the pool’s price, then immediately remove liquidity to withdraw more USDT value than their economic contribution warrants, leaving residual LPs with an under-collateralized position.
The key economic invariant for LP fairness is: after any sequence of swaps and liquidity operations, the aggregate USDT value of all LP holders’ claims should not fall below the pre-sequence value minus (i) net USDT actually transferred out of the pool to traders and (ii) explicit protocol fees (such as the flash-loan fee). In particular, burning a given fraction of LP tokens should entitle the burner only to the same fraction of the pool’s post-trade reserves, valued at prevailing market prices.
In this incident, the invariant is broken at the first MineSTM::sell(81) call in the profit transaction, where MineSTM burns ~92% of LP supply after the flash-loan swap has pushed the on-chain STM price away from its fundamental value. Because the constant-product pool uses its own skewed reserves as the price oracle, the burn returns a disproportionately large amount of USDT to the adversary, reducing the residual LP token supply’s claim on USDT below what the fairness invariant allows, even though all on-chain arithmetic and STMERC20 fee logic execute as written.
Immediately before block 39,383,150 (state σ_B on BSC), orchestrator 0x88c1… has been deployed by attacker EOA 0x40a8… in tx 0x410495e2026f2d0e2a8fbb321ccf35b30940ce172ffc57be3745c0a6aabb4d4f. Debug trace for this deployment shows constructor writes wiring in the addresses of USDT (0x55d3…), BUSD, WBNB, STMERC20 (0xbd0d…), the inner router 0x0ff0…, the USDT/STM pair 0x2e45…, MineSTM (0xb7d0…), and the attacker EOA as immutable configuration.
Seed balance_diff.json for the profit tx shows that prior to 0x849e… the adversary-related cluster (EOA + orchestrator + MineSTM) holds exactly 75,514,483,581,767,362,353 base units of USDT (75.514483581767362353 USDT), all in the EOA, and MineSTM holds a dominant share of the USDT/STM LP tokens. The relevant USDT deltas are:
{
"holder": "0x2e45aef311706e12d48552d0daa8d9b8fb764b1c",
"before": "14472243761065956356193",
"after": "641059241978778767976",
"delta": "-13831184519087177588217"
},
{
"holder": "0x40a82dfdbf01630ea87a0372cf95fa8636fcad89",
"before": "75514483581767362353",
"after": "13901699002668944950570",
"delta": "13826184519087177588217"
}
These numbers show a net 13,831,184.519087177588217 USDT flowing out of the pair and 13,826,184.519087177588217 USDT accruing to the attacker EOA, with the difference (5 USDT) paid as the flash-loan fee to the Pancake V3 pool.
In the profit transaction 0x849e…, the attacker calls the orchestrator’s function with selector 0x1031d4ef, passing parameters that instruct it to borrow 50,000 USDT from Pancake V3 pool 0x92b7…. The pool’s flash function transfers 50,000,000,000,000,000,000,000 USDT (50,000 USDT with 18 decimals) to the orchestrator and then invokes the flash callback.
Within the callback, the orchestrator:
pair.sync() on 0x2e45… to align reserves with current token balances.0x0ff0… to execute swapExactTokensForTokensSupportingFeeOnTransferTokens, swapping the entire 50,000 USDT into STMERC20 against the USDT/STM pair.Trace logs show 50,000 USDT moving from the orchestrator to the pair and 149 STMERC20 moving from the pair to the orchestrator, leaving the pair with approximately 64,472,243,761,065,956,356,193 USDT and 44 STMERC20 before LP burns. Because STMERC20 charges a 5% fee on transfers involving the pair, the effective STM input/output is computed from balances rather than raw transfer amounts, but no arithmetic errors occur: the pool simply ends up with a highly skewed USDT/STM ratio and an inflated on-chain STM price.
After the swap, the orchestrator invokes MineSTM’s sell(81) function. From traces and decompiled logic, sell(81):
STMERC20.transferFrom(0x88c1…, 0xb7d0…, 81) to move 81 STMERC20 from the orchestrator to MineSTM.totalSupply of the USDT/STM LP token.PancakeRouter.removeLiquidity(USDT, STMERC20, 707,065,205,884, 0, 0, 0x88c1…, deadline).The pair burns 707,065,205,884 LP tokens—around 92% of the then-current total supply of 768,169,606,393 LP tokens—and sends 59,343,769,825,487,515,309,058 USDT plus 40 STMERC20 to the orchestrator. This is the first concrete breakpoint where the LP fairness invariant is violated: given the preceding mispricing swap, burning 92% of LP supply entitles the adversary to a USDT amount that implicitly prices STM at the skewed AMM rate, extracting far more USDT value than would be possible under a fair-market price and leaving residual LPs with an under-valued claim on USDT.
The orchestrator then calls MineSTM::sell(7), performing a second, smaller LP burn. This call:
After the two burns, trace and decompile evidence show final pair reserves of 641,059,241,978,778,767,976 USDT and 1 STMERC20, with a tiny residual LP supply. Aggregating the two burns, 63,831,184,519,087,177,588,217 USDT has flowed from the pair to the orchestrator, whereas only 50,000,000,000,000,000,000,000 USDT flowed from the orchestrator into the pair during the earlier swap. The net USDT outflow from the pair is therefore 13,831,184,519,087,177,588,217 USDT, exactly matching the seed balance_diff.json.
With the LP burns complete, the orchestrator repays the flash loan by transferring 50,005,000,000,000,000,000,000 USDT (50,000 USDT principal plus 5 USDT fee) back to the Pancake V3 pool. It then transfers the remaining 13,826,184,519,087,177,588,217 USDT to the attacker EOA 0x40a8…. The orchestrator and MineSTM end the transaction with effectively zero USDT.
The adversary-related cluster’s portfolio change is fully captured in the USDT deltas for the EOA: from 75.514483581767362353 USDT to 13,901,699.002668944950570 USDT, a net gain of 13,826,184.519087177588217 USDT. BNB gas costs (approximately 0.001195428 BNB) are orders of magnitude smaller and do not change the positive profit conclusion.
All operations used in the sequence are permissionless:
removeLiquidity/burn operations on the USDT/STM pair use standard router and pair functions callable by any address.Under the adversary model, different unprivileged clusters could reproduce the strategy by acquiring sufficient LP tokens and running similar orchestrator logic. The opportunity therefore satisfies the definition of an Anyone-Can-Take (ACT) MEV opportunity rather than relying on private keys, governance, or admin rights.
The end-to-end adversary flow consists of two adversary-crafted transactions on BSC:
Stage 1 – Orchestrator deployment
0x410495e2026f2d0e2a8fbb321ccf35b30940ce172ffc57be3745c0a6aabb4d4f (block 39,383,108).0x40a8… deploys orchestrator 0x88c1….0x0ff0…, USDT/STM pair 0x2e45…, MineSTM 0xb7d0…, and the EOA itself, creating a reusable MEV executor.Stage 2 – Flash-loan, swap, LP burns, and profit realization
0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1 (block 39,383,150).trace.cast.log and debug traces):
0x92b7… flash to borrow 50,000 USDT.0x0ff0… with swapExactTokensForTokensSupportingFeeOnTransferTokens.MineSTM::sell(81), causing removal of 707,065,205,884 LP tokens (~92% of supply) and withdrawal of 59,343,769,825,487,515,309,058 USDT and 40 STMERC20 to the orchestrator.MineSTM::sell(7), burning most of the remaining LP supply and withdrawing a further 4,487,414,693,599,662,279,159 USDT and 3 STMERC20.0x40a8….No external victim transaction or privileged call is required; the entire opportunity is realized within the attacker’s own transaction sequence using public contracts.
USDT/STM LPs in pair 0x2e45… collectively lose 13,826,184.519087177588217 USDT of value to the adversary-related cluster over the course of tx 0x849e…. This figure is net of the 5 USDT flash-loan fee, which is paid from the drained USDT and accrues to the Pancake V3 pool 0x92b7….
There is no evidence of protocol insolvency or broader systemic impact beyond this pool. The loss is concentrated on LPs providing liquidity to the specific USDT/STM pair: their residual LP tokens represent claims on only 641,059,241,978,778,767,976 USDT and 1 STMERC20 after the burns, compared to significantly larger pre-incident reserves implied by the balance and reserve changes.
raw.json (BSC tx 0x849ed7f6…, chainid 56).0x849e…:
artifacts/root_cause/seed/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/metadata.jsonartifacts/root_cause/seed/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/trace.cast.logartifacts/root_cause/seed/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/balance_diff.json0x4104…:
artifacts/root_cause/data_collector/iter_2/tx/56/0x410495e2026f2d0e2a8fbb321ccf35b30940ce172ffc57be3745c0a6aabb4d4f/debug_traceTransaction_prestateTracer.json0x849e…:
artifacts/root_cause/data_collector/iter_2/tx/56/0x849ed7f687cc2ebd1f7c4bed0849893e829a74f512b7f4a18aea39a3ef4d83b1/debug_traceTransaction_prestateTracer.jsonartifacts/root_cause/seed/56/0xbd0df7d2383b1ac64afeafdd298e640efd9864e0/src/STMERC20.solartifacts/root_cause/data_collector/iter_1/contract/56/0x2e45aef311706e12d48552d0daa8d9b8fb764b1c/decompileartifacts/root_cause/data_collector/iter_1/contract/56/0x88c17622d33b327268924e9f90a9e475a244e3ab/decompileartifacts/root_cause/data_collector/iter_2/address/56/0x40a82dfdbf01630ea87a0372cf95fa8636fcad89/normal_txs_39380000_39386000.jsonartifacts/root_cause/data_collector/iter_2/address/56/0x92b7807bf19b7dddf89b706143896d05228f3121/normal_txs_39382000_39384000.jsonartifacts/root_cause/data_collector/iter_2/address/56/0xb7d0a1adafa3e9e8d8e244c20b6277bee17a09b6/normal_txs_39382000_39384000.json