导航菜单
首页
排名 涨幅榜 跌幅榜 24h成交额 新币榜
快讯 机构 观点 人物 专题

价值22.6万美元的BNB丢失了! How BFB token’s safety protocol became its own worst enemy

An exploit targeted the BFB token’s faulty price-defense mechanism rather than the PancakeSwap liquidity pool itself.

Investigators traced the attack to a logical flaw in BFB’s price-defense mechanism on BNB Chain. The attacker first funded gas fees with assets routed through Railgun, a privacy protocol that obscures transaction origins.

Attack using money obtained via Railgun 来源:BscScan

Then, by repeatedly using zero-value transferFrom() calls to trigger the _priceDeflPool() function with a flash loan, the attacker burned 5% of the BFB tokens in the liquidity pool.此操作已完成大约 151 次。

<风格> @media only 屏幕和(最小宽度:0px)和(最小高度:0px){ div[id^="bsa-zone_1774359638628-7_123456"] { 最小高度:50px; 过渡:最小高度 0.3 秒缓和; } } @media only 屏幕和(最小宽度:640px)和(最小高度:0px){ div[id^="bsa-zone_1774359638628-7_123456"] { 最小高度:90px; } }
<按钮 onclick=" var el = document.getElementById('amb-ad-inline-content'); el.style.maxHeight = el.scrollHeight + 'px'; requestAnimationFrame(function() { el.style.maxHeight = '0'; el.style.marginTop = '0'; el.style.marginBottom = '0'; }); ">AD <矩形宽度=“10”高度=“10”rx=“5”填充=“当前颜色”/><路径填充=“#000000”d=“M6.883 6.317a.4.4 0 1 1-.566.566L5 5.566 3.683 6.883a.4.4 0 1 1-.566-.566L4.434 5 3.117 3.683a.4.4 0 1 1 .566-.566L5 4.434l1.317-1.317a.4.4 0 1 1 .566.566L5.566 5z" />

In each iteration, a zero-value transferFrom() call between externally owned accounts (EOAs) triggered the _priceDeflPool() function.这导致合约销毁 PancakeSwap 流动性池中存储的 5% 的 BFB 代币,并立即调用 sync() 来更新池的储备。

攻击者如何排空池中的水?

Here, after the BFB reserve was nearly exhausted, the attacker consumed approximately 396.43 Binance [BNB] (roughly $226,000) by exchanging a small amount of BFB for nearly all the BNB 在池中。 

BFB token's faulty price defense Source: BscScan

The attacker later converted the stolen BFB into BNB and left the funds in wallet 0x3BFA…6b0F without moving them.

Investigators identified the logical flaw in BFBToken’s price-defense mechanism as the root cause. They continue monitoring the wallet for any outgoing transfers.

The attacker also combined several techniques, including liquidity pool draining, reserve manipulation, Automated Market Maker (AMM) price manipulation, flash loans, logic exploitation, zero-value transaction abuse, repeated execution, and Railgun funding.

攻击数量惊人增加

这与 TRM 实验室数据显示,2026 年上半年发生了创纪录的 207 起安全漏洞。 

crypto hacks in H1 2026 Source: TRM Labs

Even so, total losses fell sharply to $972 million, less than half the $2.3 billion stolen during the same period in 2025.

The attack also followed Polymarket’s recent phishing incident, where attackers compromised the frontend and manipulated what users viewed and signed.

Summer.fi 的事后分析还显示,攻击者在执行价值 604 万美元的 Lazy Summer Protocol 漏洞之前花费了大约三个月的时间。

<小时>

最终摘要

  • 396.43 BNB was drained by the attacker in exchange for a small amount of BFB. 
  • A logical error in BFBToken’s price-defense mechanism was the root cause of this attack.