BFB Token Hack 2026 — $226K Exploit Analysis

An attacker exploited a logic flaw in BFB Token's _priceDeflPool() price-defense function on BNB Chain, using flash loans plus ~151 zero-value transferFrom() calls to deplete the LP BFB reserve and swap for ~396 BNB (~$226K).

Details

Full Description

On July 8, 2026, BFB Token, a BNB Chain token, was exploited for approximately $226K (about 396 BNB) through a logic flaw in the token's _priceDeflPool() price-defense function. The _priceDeflPool() function was designed to defend the token's price on liquidity pools by burning 5% of the LP pair's BFB balance and calling sync() whenever a price drop was detected, intending to reduce supply and push the price back up.\n\nThe flaw was that the price-defense trigger could be invoked by an attacker through zero-value transferFrom() calls. A zero-value transfer moves 0 tokens but still executes the token contract's transfer logic, including the price-drop detection path. By repeatedly calling transferFrom() with a zero amount — approximately 151 times — the attacker could trigger the _priceDeflPool() defense mechanism on each call, burning 5% of the LP pair's BFB balance and calling sync() each time. Each iteration reduced the BFB reserve in the LP pair without the attacker needing to hold or spend any BFB tokens themselves.\n\nCombined with flash-loaned capital to amplify the effect and to provide the initial liquidity manipulation, the attacker was able to progressively deplete the BFB reserve held in the LP pair. Once the BFB reserve was sufficiently depleted relative to the paired asset, the attacker swapped the manipulated pool to extract approximately 396 BNB (around $226K). The exploit demonstrated how a defensive mechanism intended to protect token price can be weaponized when its trigger conditions do not distinguish between genuine market pressure and adversarial zero-value calls.

Laundering Analysis

The attacker extracted approximately 396 BNB (~$226K) from the manipulated liquidity pool. The BNB was dispersed to attacker-controlled wallets on BNB Chain. No confirmed mixer routing or cross-chain bridge movement has been reported at the time of writing, and no recovery has been announced.

Sources

Transaction Hashes

Related Hacks

Back to Browse