One vulnerability targeted the BFB token’s misprice defense mechanism rather than the PancakeSwap liquidity pool itself.
Investigators traced the attack to a logical flaw in BFB’s price defense mechanism on the BNB chain. The attacker first funded gas fees with assets routed through Railgun, a privacy protocol that obscures transaction assets.


Then, repeatedly using the value zero Move from () Calls to move _priceDeflPool() With a flash loan, the attacker burned 5% of BFB tokens in the liquidity pool. This has been done about 151 times.
In each iteration, the value is zero Move from () Connection between externally owned accounts (EOAs) triggered _priceDeflPool() job. This caused the contract to burn 5% of the BFB tokens stored in the PancakeSwap liquidity pool and immediately connect sync() To update pool reserves.
How did the attacker drain the swimming pool?
Here, after almost exhausting the BFB reserve, RHe is the attacker Expendables Approximately 396.43 Binance (BNB) (about 226,000 USD) by exchanging a small amount of BFB for almost all coins BNB Bank In the pool.


The attacker later converted the stolen BFB to BNB and left the funds in the wallet 0x3BFA…6b0F without transferring them.
Investigators identified a logical flaw in BFBToken’s price defense mechanism as the root cause. They continue to monitor the wallet for any outgoing transfers.
The attacker also incorporated several techniques, including liquidity pool drain, reserve manipulation, automated market maker (AMM) price manipulation, flash loans, logic exploits, zero-value transaction abuse, loop execution, and Railgun financing.
An alarming rise in attacks
This coincided with TRM Labs data reveals a record 207 security breaches In the first half of 2026.


However, total losses fell sharply to $972 million, less than half of the $2.3 billion stolen during the same period in 2025.
The attack also came Polymarket’s recent phishing incidentwhere attackers compromised the front-end and manipulated what users viewed and signed.
Summer.fi’s autopsy also showed that the attackers spent about three months preparing the $6.04 million Lazy summer protocol Exploit it before implementing it.
Final summary
- 396.43 BNB was drained by the attacker in exchange for a small amount of BFB.
- A logic error in BFBToken’s price defense mechanism was the root cause of this attack.




