QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$34 000 USD
APRIL 2025
GLOBAL
AIRWA
DESCRIPTION OF EVENTS
The AIRWA smart contract/token was created in the morning of April 3rd, 2025.
Unfortunately, the contract was launched with a lack of access control on the setBurnRate function, allowing funds to be drained.
The exploit of the $AIRWA token on the Binance Smart Chain (BSC) on April 4th stemmed from a critical access control vulnerability in the token's smart contract. Specifically, the contract exposed a public setBurnRate() function, which allowed any user to arbitrarily modify the burn rate of the token — a parameter that controls how much of the token is destroyed or removed from circulation during transfers or conversions.
The attacker exploited this flaw by calling setBurnRate() and setting the burn rate to a maliciously high or strategic value. This manipulation altered the internal tokenomics, allowing the attacker to trade a very small amount of $AIRWA (about 12 AIRWA tokens) and extract a disproportionately large amount of BNB — roughly 57 BNB, worth around $34,000 at the time. Because this function should have been restricted to the contract owner or admin, the lack of proper access control was the root cause of the vulnerability.
The attack involved three key addresses:
Attacker’s wallet: 0x70f0406e0A50C53304194B2668Ec853D664a3D9C
Attack contract: 0x2a011580f1b1533006967bd6dc63af7ae5c82363
Targeted AIRWA contract (non-open source): 0x3af7da38c9f68df9549ce1980eef4ac6b635223a
TenArmor has reported the amount lost as $33.6k USD.
The incident was reported by third parties such as TenArmor, CertiK, and GoPlus. However, there is no indication that this project has issued any response.
There were some public news reports. There is no indication of any investigation or recovery effort by the project.
There is no indication that any funds have been recovered.
The funds appear to be permanently gone.
The $AIRWA token on Binance Smart Chain was exploited due to a critical vulnerability in its smart contract. Launched just a day earlier, the contract lacked access control on its setBurnRate() function, allowing anyone to change the token’s burn rate. The attacker exploited this flaw to manipulate the tokenomics and trade ~12 AIRWA for ~57 BNB (worth approximately $33.6K). The project has not issued any public response, and there is no indication of recovery efforts. The stolen funds appear to be permanently lost.
TenArmor - "Our system has detected a suspicious attack involving #AIRWA on #BSC, resulting in an approximately loss of $33.6K. A Rug or a simple access control issue?" - Twitter/X (Aug 12)
Attack Transaction - BSCScan (Aug 12)
The AIRWA Exploiter - BSCScan (Aug 12)
GoPlusZH - "On April 4, an attack on $AIRWA on BSC resulted in a loss of 56.73 $BNB (~$34K). The attack was due to an access control vulnerability in $AIRWA's setBurnRate() function, which allowed the hacker to modify system parameters and exchange ~12 $AIRWA for ~57 $BNB." - Twitter/X (Aug 12)
The AIRWA contract was exploited by attackers, resulting in a loss of approximately $34,000 - Chain Catcher (Aug 12)
CertiK - "This morning AIRWA on BSC was exploited for ~$34k. The contract has a public setBurnRate() function which the attacker changed to burn AIRWA tokens and profit." - Twitter/X (Aug 12)
AIRWA Suffers $34,000 Loss in BSC Network Attack - Binance Square (Aug 12)
The AIRWA contract was exploited by attackers, resulting in a loss of approximately $34,000 - BitGet (Aug 12)
AIRWA Contract - BSCScan (Aug 12)
AIRWA Contract Creation - BSCScan (Aug 12)
AIRWA PancakeSwap Contract - BSCScan (Aug 12)
