BNB worth $226K lost! How the security of the BFB brand became its worst enemy


Effectiveness focuses on the negative security of the BFB token rather than the PancakeSwap liquidity pool itself.

The researchers traced the hack to a clear flaw in the way BFB prices were protected on the BNB Chain. The attacker paid for gas and cargo transit to Railgun, a secret code that hides what happens.

Attack using the money earned through the RailgunAttack using the money earned through the Railgun
Source: BscScan

Then, using repeated zero-value transferFrom() phones to activate _priceDeflPool() working with flash credit, the attacker burned 5% of BFB tokens in the liquidity pool. This happened about 151 times.

For each iteration, the value is zero transferFrom() calls between external accounts (EOAs) started _priceDeflPool() work. This resulted in the agreement burning 5% of the BFB tokens held in the PancakeSwap liquidity pool and calling it immediately. sync() rehabilitating pool reserves.

How did the attacker drain the pool?

Here, BFB is about to end, the is an attacker to be eaten about 396.43 Binance (BNB) (about $226,000) for a small exchange and BFB for almost all. The price of BNB in the pool.

BFB price protectionBFB price protection
Source: BscScan

After that, the attacker converted the stolen BFB to BNB and left the money in the wallet 0x3BFA…6b0F without moving it.

Researchers found a logical flaw in the BFBToken price protection system as its source. He continues to monitor the money that comes out of the wallet.

The attacker also included a number of methods, including draining, spot manipulation, Automated Market Maker (AMM) price manipulation, flash loans, mind manipulation, zero manipulation, repeated killing, and Railgun money.

A terrible attack

This is related to TRM Labs data reveals 207 security breach records in the first half of 2026.

crypto hacks in H1 2026crypto hacks in H1 2026
Source: TRM Labs

Even so, total losses fell sharply to $972 million, less than half of the $2.3 billion stolen in the same period in 2025.

The attack followed The latest Polymarket fraud incidentwhere attackers tampered with the front end and controlled what users saw and signed.

Summer.fi’s investigation also revealed that the attackers spent almost three months preparing $6.04 million Lazy Summer Protocol use it before you do it.


Brief Summary

  • 396.43 BNB was dropped by the attacker in exchange for a small BFB.
  • A logical error in the BFBToken price protection system was the source of this attack.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *