Vishal Pachpor pfp
Vishal Pachpor
@0xvishal
🧵 BREAKING: $MBU exploit - how someone turned 0.001 BNB into $2.15M Yesterday at 12:29 PM IST, Mobius Token got absolutely REKT. Found some juicy details you won't see elsewhere. Let's dig in...
1 reply
0 recast
1 reaction
Vishal Pachpor pfp
Vishal Pachpor
@0xvishal
1/ Attacker (0xb32a53) deployed their contract at 07:31 UTC, then exploited victim wallet 0xb5252f using contract 0x631adf just 2 mins later. 2/ The tech details: they called the deposit function on 0x95e9... with just 0.001 WBNB and minted 9.73 QUADRILLION $MBU tokens. That's not a typo.
1 reply
0 recast
0 reaction
Vishal Pachpor pfp
Vishal Pachpor
@0xvishal
3/ After reviewing @AstraSecAI and @rotcivegaf's analysis, this wasn't just a basic access control issue. Much worse - it was a decimal handling error in the oracle price feed. 4/ Here's what likely happened: solidityfunction depositBNB() public payable { uint256 bnbAmount = msg.value; // 18 decimals uint256 mbuToMint = bnbAmount * getPriceRatio(); // BOOM - decimal calculation error _mint(msg.sender, mbuToMint); }
1 reply
0 recast
0 reaction
Vishal Pachpor pfp
Vishal Pachpor
@0xvishal
5/ Contract failed to properly scale BNB's 18 decimals, creating a multiplication error. Classic rookie mistake. The oracle returned incorrect values and... money printer go brrr. 6/ Attacker swapped just 28.5M of these tokens for $2.15M USDT, then straight to Tornado. All in minutes, minimal gas.
1 reply
0 recast
0 reaction
Vishal Pachpor pfp
Vishal Pachpor
@0xvishal
7/ How it should have been coded: solidityfunction depositBNB() public payable { uint256 bnbAmount = msg.value / (10 ** 18); // Properly scale BNB uint256 priceRatio = getPriceRatio(); require(priceRatio > 0 && priceRatio < MAX_RATIO, "Invalid price"); uint256 mbuToMint = bnbAmount * priceRatio; require(mbuToMint <= MAX_MINT_AMOUNT, "Too much"); _mint(msg.sender, mbuToMint); }
1 reply
0 recast
0 reaction
Vishal Pachpor pfp
Vishal Pachpor
@0xvishal
8/ This is part of a massive trend. @PeckShield reports April saw $360M in crypto losses across 18 hacks - a 990% increase from March. Security is getting worse, not better. 9/ Still no statement from the Mobius team. Wallet still active. If you're holding $MBU... well... oof.
1 reply
0 recast
0 reaction