ExVul

Check out this article: HB Token Exploit Analysis: ~$193K Lost to AMM Reserve Manipulation via Reward Path exvul.com/blog/hb-token-…

🚨 HB Token Reward Manipulation on BSC — ~$194K Lost An attacker exploited HB Token's reward accounting system in a single tx, netting 193,936.99 USDT. Attack flow: 405,231.89 WBNB Moolah flash loan → vBNB collateral on Venus → borrowed 100M USDT → manipulated reward claims via HB Token (0x5b41af6a9b314ef4d92f6809087740a83d20570a), HB (0x86ddbfc6f2e3cf096e80ca79e46042392bd90aef), and reward proxy (0xcc9dadc6c290f9e12a9805a005aaf3c37f46fdb5) → extracted USDT from HB/USDT LP → repaid all loans → transferred profit to 0x2e358f7e323b9e615231873f17b099b833163f23. Tx: bscscan.com/tx/0x19671f578… Same recurring pattern: flash-loan-funded state manipulation enabling inflated reward claims. Projects using spot LP state for reward calculations remain sitting ducks. #DeFiSecurity #BSC #ExploitAlert — ExVul Security

🛡️ 4/4 — Action Required If you've EVER used Squid Router: Check approvals to 0xaD6Cea45f98444a922a2b4fE96b8C90F0862D2F4 on ALL chains Revoke immediately via revoke.cash Any address with token approvals to SquidMulticall is at risk. The run() function allows anyone to execute arbitrary calls using the contract's approval authority. Approve only what you need. Revoke when done.

⛓️ 3/4 — Exploit Txs & Addresses Victim: 0xaCc0c1f672B03B9a5fED4535f840f09B85f40E98 Exploiters: 0x46c403e3DcAF219D9D4De167cCc4e0dd8E81Eb72 (BSC, AVAX) 0xe1b3847fb1403da358736c726ba4207901ba3017 (ETH) Sample txs: BSC: 0x09eca081bee7c2c6078612b05daf0b01f4fdd658ec7210c01843c5ce8df27ea1 ETH: 0x0715b39742bfa007615553b83da5501eee12bba89122e9194cd12ec5c17f1c6a AVAX: 0x935eb961ff81cb9d29f357895913537db6da4b4e75962f50c913b5bc9c2742d4

🚨 1/4 — Risky Approval Alert: SquidMulticall Drain (~$1M Lost) An EOA just got drained of ~$1M across ETH, Avalanche, BSC, Base, Linea & Arbitrum. Root cause: unlimited token approvals to Squid Router's SquidMulticall contract (0xaD6Cea45f98444a922a2b4fE96b8C90F0862D2F4). Attacker called run() with crafted transferFrom calls — no permission needed.

🚨 Exploit Alert: TGAI/Computility reserve-manipulation on #BSC Attacker flash loaned ~2.4M USDT, deployed 25 CREATE2 helpers to buy TGAI, then abused `sync()` to push ~17.5K USDT into the LP pair before calling `swapTGToUSDT` — netting ~$11.94K profit. 🔍 bscscan.com/tx/0x6031c73c2… #DeFiSecurity #ExploitAlert #Web3Security

🚨 BSC TMM/USDT Reserve Manipulation Alert 💰 Loss: ~$1.665M USDT 🎯 Target: TMM 0x1d6f03b0b20b2ec05b37bf60f56af442ced66666 Attack Tx: bscscan.com/tx/0xdee460f77… Attacker contract 0x1c5e8d3501bbcae900e14d8720774d9ff6ec7203 used flash loans from ListaDAO Moolah (0x8f73b65b4caaf64fba2af91cc5d4a2a1318e5d8c), Venus, Aave V3, PancakeSwap Vault, and Uniswap PoolManager to manipulate the TMM/USDT pair (0xc36c718e7d0af055092e5274f92f6511820ca041). TMM was burned to 0x...dEaD, reducing pair reserves to 1 TMM, then 850M TMM was swapped out for ~272M USDT. After repaying all flash loans, 1,665,255 USDT profit was transferred to 0xe4edfa3fbf238c3598b73f76bc15286b6496cd0c. #DeFiSecurity #BSC #ExploitAlert

🚨 BSC DeFi Exploit Alert — SAS Transfer-Hook Burn Exploit Chain: BSC Loss: ~20.19 WBNB drained from SAS-WBNB LP Target: 0xbfa266aeb18d34ef4f8749fc7a1b2064af3d91c6 (SAS Token) Affected LP: 0x2e456142b1998e711f61021d2467cad85afd1963 (Cake-LP SAS/WBNB) Attack Tx: 0x878e214a895b057e2f284a084135a6dbe5fe3d696402da6380547a3e5696adc5 Summary: An attacker exploited SAS token's transfer-hook burn mechanism on BSC, draining ~20.19 WBNB from the SAS-WBNB Cake-LP. Using a 200,000 WBNB flash loan, the attacker bought SAS tokens then abused the token's auto-sell logic combined with `sellBurn` and `_burnFromPair` functions to systematically collapse the LP's SAS reserve down to just 1 token. With the pair's SAS balance destroyed, the attacker extracted the remaining WBNB. 14.639907144265126682 WBNB was routed back for flash loan repayment, while 20.194632450524216125 WBNB profit remained in the profit address. Attacker Contract: 0x27abde2f1757b0704da5a5870cd85ad09d1b9290 Profit Address: 0xe66e3807f316c70c0db6cc4bdaccb49c3fce9073 Tx: bscscan.com/tx/0x878e214a8… #DeFiSecurity #BSC #ExploitAlert

Attribution: exvulsec posted the first public alert here: x.com/exvulsec/statu…. Additional tracing supports the same loss event, while identifying invariant-breaking refill logic as the core flaw.

🚨 BSC DeFi Exploit Alert — $LML Single-Pool Price Manipulation Chain: BSC Loss: ~$950.37K USDT Target: 0xb7b7631b97d93344b2a29e926e42578006794b3b (LML Power) Vulnerable Contract: 0xae406f357541f45f01bec21f9f28c43757f202e4 (Reward Proxy) Attack Tx: bscscan.com/tx/0x805d273a6… Summary: An attacker exploited LML's reward settlement system on BSC, netting ~$950.37K USDT. The attacker aggregated massive flash liquidity from Moolah, Venus, Aave V3, and multiple PancakeSwap/Uniswap V3 pools, then used 309,529,000 USDT to buy nearly all LML from the LML/USDT PancakeSwap pool — skewing the reserve ratio by ~67,347x and sending purchased tokens to a burn address. With the pool in this extreme state, the attacker triggered the LML Power reward settlement path 11 times using helper addresses. The reward system's `updatePrice()` directly consumed the manipulated LP reserves as its price input, with no TWAP, oracle, or same-block cooldown. Each round called `updatePrice → updateUser → sendMining → swapBack → claimReward`, converting inflated reward accounting into real tokens at the manipulated price. After 11 rounds, the attacker dumped remaining LML back into the pool, repaid all borrowed funds within the same transaction, and transferred 950,370.69 USDT profit to 0x3c00b00007f11c84a6cf0bea4dff8de79be8fb51. #DeFiSecurity #BSC #ExploitAlert

🚨 BSC DeFi Exploit Alert — InfinitySix Stale TWAP Reward Drain Chain: BSC Loss: ~$273.8K USDT attacker profit; #InfinitySix $i6 token reserve nearly drained Target: 0x1cb36b0f1efd9b738997da3d5525364c7e82a18a (InfinitySix) Attack Tx: bscscan.com/tx/0xc1b9a237a… Summary: An attacker exploited InfinitySix's stale TWAP pricing in its reward withdrawal logic on BSC, netting ~$273.8K USDT. The attacker flash-loaned 270,000 WBNB via Moolah and borrowed ~$125.9M USDT through Venus and PancakeV3. A small initial `invest()` call established the attacker as a valid sponsor and locked the TWAP at ~1.05 USDT/$i6. Then a helper contract invested ~$124M USDT as the attacker's "referral," generating ~$6.2M in instant referral bonus while simultaneously skewing the LP spot price to ~15,528 USDT/i6. The attacker immediately called `withdraw()` in the same transaction — but because the 1-minute TWAP update window hadn't elapsed, the contract still used the old ~1.05 price to convert the $6.2M USDT bonus into i6 tokens, dispensing ~5.6M i6 instead of ~399 i6 at fair value. The attacker dumped the i6 back into the LP for ~$125.2M USDT, repaid all loans, and walked away with $273,802 profit. Root causes: instant referral bonus accrual, stale TWAP used for withdrawal settlement, no same-tx withdrawal cooldown. #DeFiSecurity #BSC #ExploitAlert

🚨 BSC DeFi Exploit Alert — DayContract Price Manipulation Chain: BSC Loss: ~10.6K profit; 29.7K protocol insolvency Target: 0x587984549f7e61c0ed8131b1f6614f592573a43c (DayContract) Attack Tx: bscscan.com/tx/0xf3b8ceae8… #DeFiSecurity #BSC #ExploitAlert Summary: An attacker exploited DayContract (0x5879...3a43c) and its SettlementVault (0x6642...f12) on BSC by manipulating $PSTAR/USDT spot price on PancakeSwap. Using a 2,042,000 USDT flash loan from Moolah, the attacker deployed 38 helper contracts to batch-deposit 1,000 USDT each. Two deposits executed at fair price, then the attacker dumped 2,000,000 USDT into the PSTAR pool to spike the price before the remaining 36 deposits — locking in LP positions at massively inflated valuations. After selling $PSTAR back for ~2,010,655 USDT, all 38 helpers withdrew in the same transaction. Despite LP redemptions returning only ~8,287total,SettlementVault′srigidprincipalguaranteeforcedittopaybackthefull8,287total,SettlementVault′srigidprincipalguaranteeforcedittopaybackthefull38,000 by draining shared LP reserves. Root causes: no TWAP/oracle on deposit, no same-tx withdrawal cooldown, and unconditional principal settlement ignoring actual position NAV. #DeFiSecurity #BSC #ExploitAlert

After enough audits, you start noticing a pattern. Most exploits don’t come from something completely unknown. They come from edge cases, assumptions, integrations - things that evolve after deployment. So where does real security actually come from? We’re discussing this today: Internal teams vs external auditors - what actually secures DeFi. Joining forces with John from @baltexio and @0xeasonnong from @exvulsec Tune in here - x.com/i/spaces/1AJEm…

Check out this article: One Line, All Funds: How a Static IV Turned Nightly Wallet's Encryption Into a Two-Time Pad exvul.com/blog/nightly-w…

🚀 We just open-sourced exvul-solana-skill — a prompt-native security auditor for Solana smart contracts. One command. Zero scripts. Full audit report. It runs a 7-stage pipeline inside Claude Code: scope → deep sweep → candidate generation → adversarial verification → report. Every finding starts as "likely false positive" and has to prove itself. Less noise, more signal. github.com/exvulsec/exvul… #Solana #Security #AI #OpenSource #web3security

🚀 We're hiring! @exvulsec is looking for a Business Development Lead to drive growth across Web3 security. exvul.com/careers/busine…

🚨NEW: We found a previously unknown bug in Anchor Framework (v0.31.0+) A single-byte custom discriminator can silently kill the entire event system. discriminator = [] captures ALL instructions. Zero warnings from compiler, IDL, or runtime. Writeup + PoC: exvul.com/blog/anchor-on…