'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
At HackenProof, we believe that some of the most valuable security knowledge is created inside the hacker community itself. This belief is reflected in our ongoing series of guest articles, where security researchers from our community share practical insights, practical knowledge, and real-world lessons from their work in smart contract security, Web3 development, and bug bounty research. By publishing hacker-authored content, we aim to make expert-level security knowledge more accessible and to support continuous learning across the broader Web3 security ecosystem.
We regularly curate and publish the strongest technical articles based on their educational value, technical depth, and relevance to real security challenges. Authors whose work is published on the HackenProof blog receive the Star Author achievement, recognizing their contribution to knowledge sharing and community growth.
Read the article, explore the ideas, and share your thoughts with the community — and if you have expertise to share, this could be your first step toward becoming our next Star Author.
Background and Scope
This article was written by @count-sum, a Web3 security researcher from Romania and a member of the HackenProof community since September 28, 2025. Despite joining relatively recently, he has already built a strong track record on the platform, currently ranking #85 on the HackenProof leaderboard with 11 paid vulnerability reports to his name. His work focuses on analyzing real-world smart contract exploits, breaking down complex attack paths, and translating on-chain incidents into practical lessons for builders and security researchers.
In this article, count-sum examines the Mobius Token exploit on Binance Smart Chain, where a seemingly minor accounting mistake in a proxy contract allowed an attacker to mint millions of tokens and drain over $2.15 million in liquidity. Through a step-by-step reconstruction of the attack, he shows how small miscalculations in price normalization and decimals handling can cascade into catastrophic failures. The analysis highlights how a single overlooked line of code can be weaponized into a full-scale DeFi exploit — and why rigorous validation, testing, and audits remain essential safeguards for any protocol handling real value.
Editor’s note: This article was originally published by the author on Medium and is shared here with permission as part of our community guest article series.
Foreword
On May 11, 2025, the Mobius Token (MBU) contract on Binance Smart Chain (BSC) was exploited in a critical attack.
The vulnerability stemmed from a misconfigured proxy contract that allowed the attacker to mint an inflated supply of MBU tokens and dump them into PancakeSwap liquidity pools.
Starting with just 0.001 BNB, the attacker manipulated the proxy’s accounting logic to generate millions of MBU tokens at essentially no cost. These tokens were then swapped into stablecoins (BUSD), and the stolen $2.15M was quickly laundered through Tornado Cash, making recovery impossible.
Vulnerable Code
The project, which had launched only days before the attack, included the following function to calculate token prices for the BNB/USDT pair:
Why This Was Dangerous
At first glance, the logic seems straightforward, but several critical issues made it exploitable:
- Reliance on spot prices — no TWAP (time-weighted average price) or oracle safeguards.
- No liquidity checks — price calculations ignored whether pools had sufficient depth.
- Potential mishandling of non-standard decimals (e.g., USDT with 6 decimals).
- Extra 1e18 multiplier in the final step — this was the fatal flaw, inflating returned values by orders of magnitude.
This seemingly minor miscalculation allowed the attacker to deposit 0.001 BNB and mint a disproportionate supply of MBU tokens, which were then dumped against the BUSD-T PancakeSwap pool, draining approximately $2.15M in stablecoins.
The full transaction can be observed here:
🔗 BlockSec Explorer — Exploit Transaction
As shown in the trace, the attacker called the deposit function on the vulnerable proxy (0x95e9…ERC1967Proxy).
This call invoked the flawed getBNBPriceInUSDT function, which miscalculated the token valuation and minted excessive MBU tokens.
The inflated tokens were then swapped into BUSD via PancakeSwap, draining liquidity from the pool.
Key On-Chain References
- Exploit TX: BscScan Link
- Attacker Address: 0xb32a53af96f7735d47f4b76c525bd5eb02b42600
- Attacker Contract: 0x631adff068d484ce531fb519cda4042805521641
- Vulnerable Proxy: 0x95e92B09b89cF31Fa9F1Eca4109A85F88EB08531
Attack Breakdown
The exploit can be summarized in four stages:
1.Initial Funding
- The attacker funded their address via Tornado Cash to ensure anonymity.
2. Proxy Abuse
- Deposited a small amount of WBNB (~0.001 BNB) into the vulnerable Mobius proxy contract.
- Due to a logic flaw in the proxy’s accounting, this deposit credited the attacker with a vastly inflated number of MBU tokens.
3. Token Dump
- The attacker approved PancakeSwap’s router for unlimited MBU token transfers.
- They swapped roughly 30,000,000 MBU for BUSD using swapExactTokensForTokensSupportingFeeOnTransferTokens.
4. Profit Extraction & Laundering
- The obtained BUSD was transferred back to the attacker’s externally owned account (EOA).
- Additional calls to the BlockRazor contract obfuscated transaction traces, likely paying MEV relays for protected execution.
- Funds were eventually siphoned through Tornado Cash.
Root Cause Analysis
The vulnerability stemmed from broken accounting logic in the proxy contract.
- When users deposited WBNB, the proxy called getBNBPriceInUSDT() to value the deposit.
- The function incorrectly applied decimals twice (x * 10**18 applied redundantly).
- As a result, the contract credited users with 10¹⁸ times more tokens than intended.
This flaw essentially allowed the attacker to mint tokens at a massive discount, bypassing any real economic cost.
Damage Assessment
- Stolen Amount: ~30 million MBU tokens
- PancakeSwap liquidity pools were drained.
- MBU holders faced an immediate price collapse.
The exploit effectively rendered MBU liquidity worthless.
Immediate Response
- Mobius attempted to pause affected contracts.
- Community alerts spread quickly, identifying the exploit as a proxy misconfiguration.
- Centralized exchanges were notified to blacklist addresses, though stolen funds were already laundered.
Lessons Learned
The Mobius exploit is a textbook reminder of how small logical errors in smart contracts can have catastrophic financial consequences. In this case, a single miscalculation — an unnecessary 1e18 multiplier — inflated token valuations and allowed unlimited minting of MBU.
Key takeaways:
- Audits are essentialThis vulnerability was trivial to detect and would likely have been caught in even a basic smart contract audit. Launching an unaudited token contract exposed users and liquidity providers to unnecessary risk.
- Validate core assumptionsCritical operations like minting and deposit accounting must include sanity checks. For example, mint amounts should always be bounded by expected ranges.
- Don’t rely on raw spot pricesPrice oracles based purely on liquidity pool reserves are easily manipulated. Protocols should use time-weighted averages or trusted oracle frameworks to prevent distorted valuations.
- Implement safeguardsCaps on maximum mintable amounts, liquidity checks, and invariant validations can act as last lines of defense, catching logic errors before they escalate.
- Testing mattersUnit and integration tests that simulate edge cases (low liquidity, unusual decimals, tiny deposits) would likely have revealed the miscalculation before deployment.
Conclusion
The Mobius Token hack demonstrates how a single oversight in protocol logic can be weaponized into a multi-million dollar exploit. While the attack was not especially sophisticated, the consequences were severe: inflated token supply, drained liquidity pools, and permanent losses for holders.
Precision in mathematical calculations, especially around decimals and price normalization, is non-negotiable in DeFi. Projects must:
- Rigorously test all minting and valuation functions.
- Enforce strict validation and caps.
- Undergo comprehensive third-party audits before launch.
Ultimately, the exploit underscores a simple truth: in DeFi, even the smallest arithmetic mistake can cascade into systemic failure. Careful design, thorough audits, and proactive monitoring remain the only effective defense against these types of attacks.
