Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
The Palmswap project on the BSC chain was attacked, and the attacker made a profit of more than 900,000 US dollars. According to the analysis of SlowMist, this attack was due to the fact that the authority control function of the core function was not enabled, and the price calculation model of the liquidity token was designed too simply, depending only on the number of USDT tokens in the treasury and the total supply, resulting in the attacker can use flash loans to maliciously manipulate prices to obtain unexpected profits. On July 28, Palmswap tweeted that 80% of the stolen funds had been returned, and the remaining 20% was used as a bug bounty for hackers. Attack method (per SlowMist): Flash Loan Attack. Reported loss: $ 900,000.
- chain
- bsc
- protocol
- Palmswap
- bug_class
- flashloan
- date_occurred
- 2023-07-25
- loss_usd
- $900,000
- source_id
- sm:palmswap::2023-07-25