Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
According to BlockSec monitoring, an unknown contract on the BSC (BNB Smart Chain)—suspected to be the LML/USDT staking protocol—has been exploited for approximately $950,000. Analysis indicates the vulnerability stems from a pricing design flaw: claimable rewards are calculated based on TWAP (Time-Weighted Average Price) or snapshot prices, allowing the attacker to sell reward tokens at manipulated spot prices. The attacker first pushed up the price of LML by executing trades through a path that included a zero-address recipient. Subsequently, they invoked the claim function via an address where tokens had been previously deposited, directly capturing the rewards during the exploit. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 950,000.
- chain
- bsc
- protocol
- LML/USDT staking protocol
- bug_class
- oracle
- date_occurred
- 2026-04-01
- loss_usd
- $950,000
- source_id
- sm:lml-usdt-staking-protocol::2026-04-01