🧵 BREAKING: $MBU exploit - how someone turned 0.001 BNB into $2.15M
Yesterday at 12:29 PM IST, Mobius Token got absolutely REKT. Found some juicy details you won't see elsewhere. Let's dig in...

1/ Attacker (0xb32a53) deployed their contract at 07:31 UTC, then exploited victim wallet 0xb5252f using contract 0x631adf just 2 mins later.
2/ The tech details: they called the deposit function on 0x95e9... with just 0.001 WBNB and minted 9.73 QUADRILLION $MBU tokens. That's not a typo.

7/ How it should have been coded:
solidityfunction depositBNB() public payable {
    uint256 bnbAmount = msg.value / (10 ** 18); // Properly scale BNB
    uint256 priceRatio = getPriceRatio(); 
    require(priceRatio > 0 && priceRatio < MAX_RATIO, "Invalid price");
    uint256 mbuToMint = bnbAmount * priceRatio;
    require(mbuToMint <= MAX_MINT_AMOUNT, "Too much");
    _mint(msg.sender, mbuToMint);
}

5/ Contract failed to properly scale BNB's 18 decimals, creating a multiplication error. Classic rookie mistake. The oracle returned incorrect values and... money printer go brrr.
6/ Attacker swapped just 28.5M of these tokens for $2.15M USDT, then straight to Tornado. All in minutes, minimal gas.

3/ After reviewing @AstraSecAI and @rotcivegaf's analysis, this wasn't just a basic access control issue. Much worse - it was a decimal handling error in the oracle price feed.
4/ Here's what likely happened:
solidityfunction depositBNB() public payable {
    uint256 bnbAmount = msg.value; // 18 decimals
    uint256 mbuToMint = bnbAmount * getPriceRatio(); // BOOM - decimal calculation error
    _mint(msg.sender, mbuToMint);
}