Incident Summary

On 11 May 2025, our system detected a suspicious attack involving Mobius Token #MBU on Binance Smart Chain #BSC, which resulted in an approximate loss of $2.16M. The exploit on MBU came just three days after the token had been funded on 08 May by 0x18027eF7CC0e7dCe85120f69D0B91B4F4c9E07Bf.

The root cause was due to a surplus 10** 18 multiplier in unverified contract 0x637D8Ce897bb653cb83bA436CDf76bBe158f05B1 which introduced a 1e18 inflation error, this allowed the attacker to mint 9,731,099,570,720,980.659843835099042677 MBU with 0.001 BNB which they swapped for USDT.

Key Transactions

Exploit Transaction: https://bscscan.com/tx/0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150

Attack Flow / Vulnerability

Addresses

Attack wallet: 0xb32a53af96f7735d47f4b76c525bd5eb02b42600

Vulnerable contract: 0x637D8Ce897bb653cb83bA436CDf76bBe158f05B1

Step by Step Event Flow

1. The attacker called 0x95e9.deposit() to mint “9,731,099,570,720,980.659843835099042677” Mobius tokens with a ‘_wantAmt’ of just 0.001 / 1,000,000,000,000,000 wei BNB input.

The number of Mobius tokens minted is calculated as: amount of BNB * USDT per BNB / USDT per Mobius

In function 0x371b(), the swap helper is consulted to retrieve USDT per BNB, which returned 656.921601740811896377 (the price of BNB)

This v1 value was multiplied to varg1 which is wantAmt, both with 18 decimals, to give: amount of BNB * USDT per BNB.

Next, in function 0x3039(), USDT per Mobius is calculated from the ratio of reserve on a pancake pair.

The resulting calculation is: 2159553516647587844183110 (_reserve1) / 31989860347277356651458 (_reserve0) = 67.507438082060477686.

The value, which also carries 18 decimals, is then returned as returnValue 0x3a8da994411e464f6.

All the fetched prices have 18 decimals, amount * price/price should leave the correct decimal. However, a surplus 10** 18 multiplier at the end 0x3039() introduced 1e18 inflation error. The return value should have returned varg1 / v1.

2. After obtaining 9,731,099,570,720,980.659843835099042677 MBU, the attacker swapped the tokens for 2,157,126.1793489438 USDT.

Fund Flow

The attacker’s address 0xb32a53af96f7735d47f4b76c525bd5eb02b42600 was funded on May 4th by Tornado Cash deposit and was used to exploit MHT Trade on the same day in txn https://bscscan.com/tx/0x8dd331f85aa87c47b01ee6a2884df35833d78a2715effe0582fa20b0ea981.

Immediately after the Mobius exploit, the attacker laundered 2,100 BNB through Tornado Cash, in 21 batches of 100 BNB. As of writing there haven’t been any 100 BNB withdrawals from Tornado Cash.

The Stats In 2025 we have recorded 46 incidents that were exploited as a result of a code vulnerability, where we were unable to find any publicly available record of an audit for the project, with combined losses of $6.4M. These figures are solely for unaudited projects and does not include incidents where the project has obtained an audit but that may not cover the affected contract(s).

To keep up to date on the latest incident alerts and statistics, follow @certikalert on X or read our latest analysis on certik.com.