Design Flaw in BSC Chain Protocol Causes Losses of Hundreds of Thousands of Dollars

BlockSec Phalcon security analytics platform recently identified a significant incident on the BSC chain that resulted in a loss of $100,000 to an unknown contract. This event revealed serious vulnerabilities in the token burning mechanism that was poorly designed.

Attack Mechanism: Two-Stage Exploit on the BSC Chain

The attacker employed a phased strategy to drain funds from the pool. In the first phase, they successfully withdrew 99.56% of the total PGNLZ tokens stored in the liquidity pool during the initial swap transaction. This step served as preparation for a more complex next stage.

In the second phase, when the attacker resold PGNLZ tokens, the transferFrom function in the contract automatically triggered the destruction of 99.9% of the protocol’s PGNLP tokens. This massive destruction was followed by a synchronization operation that caused the PGNLP price to spike dramatically. This condition created a perfect opportunity for the attacker to drain nearly all USDT liquidity from the pool by exploiting the distorted price.

Root Cause: Flaw in the Burn Mechanism Design

According to Odaily’s analysis, the main cause of this attack was a fundamental weakness in how the protocol designed the token burn pairing mechanism. The system was built without considering scenarios where an attacker could manipulate the price ratio through gradual liquidity extraction.

Security Implications for the Chain Ecosystem

This incident shows that not all contracts on the BSC chain undergo rigorous security audits before launch. Protocols relying on automatic burn mechanisms need to conduct comprehensive reviews of potential attack vectors involving price manipulation and liquidity. BSC developers should perform more thorough stress testing before enabling critical features like token burn systems.