QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$5 000 000 USD
AUGUST 2025
GLOBAL
BETTERBANK
DESCRIPTION OF EVENTS
BetterBank is a next-generation decentralized finance (DeFi) platform that aims to redefine traditional banking by offering a transparent, permissionless, and globally accessible alternative. Unlike conventional financial systems that are often slow, expensive, and exclusionary, BetterBank leverages blockchain technology to eliminate intermediaries, lower costs, and unlock financial tools for users regardless of their geographic or economic status. Rooted in the principles of decentralization, financial sovereignty, and fairness, BetterBank seeks to empower individuals with self-reliant financial control and greater earning potential.
The platform significantly improves on both traditional finance (TradFi) and existing DeFi protocols by offering open access to financial services and ensuring users are fairly compensated for the risks they take. It replaces the outdated model of banks profiting from customers with minimal returns by aligning risk and reward more equitably. Moreover, it introduces a “Sovereign Safety Structure” where smart contracts—not centralized institutions—govern operations, reducing the risk of human error, fraud, or interference.
BetterBank also brings innovative mechanics to DeFi lending through features like its **Favor credit system**, which protects the protocol from liquidity crises (bank runs) by dynamically adjusting credit supply and demand. It avoids the pitfalls of Ponzi-like structures found in many DeFi platforms by ensuring its token, Favor, has real utility beyond speculation. Through its cooperative investment model that blends lending, borrowing, and seigniorage, BetterBank creates a robust, yield-generating ecosystem where all participants benefit from both platform growth and personal capital efficiency.
A critical vulnerability in BetterBank's smart contract system allowed attackers to mint arbitrary amounts of Favor tokens by abusing the platform’s bonus mechanism. This exploit stemmed from an insufficient validation of trading pairs within the `UniswapWrapper`, where malicious users could deploy fake tokens and liquidity pools to trick the system into awarding unearned bonuses. While Zokyo, the auditing firm, did identify related risks during its July 2025 audit, the findings were not fully emphasized, and the exploit path using bogus tokens was not clearly outlined in their proof of concept (PoC), contributing to a downgrade in severity and incomplete mitigation.
Zokyo’s audit identified two relevant issues. 1. Exploits using flash loans to cycle large volumes and receive Favor bonuses. 2. Exploits involving custom-deployed tokens and liquidity pools to simulate valid trades and qualify for bonuses illegitimately.
The recommended fix—restricting swap paths and validating tokens—was partially implemented. However, the deployed contract failed to enforce critical controls such as strict path length and base token validation. As a result, a vulnerability remained allowing attackers to create bogus trading pairs and mint unlimited Favor tokens, exploiting a gap that had been theoretically flagged but practically overlooked.
On PulseChain, the BetterBank protocol was abused through a flaw that let an attacker mint arbitrary Favor tokens and convert some to ETH. The root cause was incorrect validation of liquidity pools: the contract trusted swap activity without verifying that the LP actually matched BetterBank’s registered pairs. By exploiting this gap the attacker was able to mint large bonus amounts tied to swap volume and then swap those tokens out for real value.
Because anyone can create an LP on PulseX (or deploy a custom contract) with one side set to BetterBank’s registered FAVOR token, the attacker created a bogus pair that qualified for bonuses. Crucially, the LP wasn’t created through BetterBank and therefore wasn’t treated as a registered pair subject to the protocol’s tax rules — allowing the attacker to avoid the heavy tax that would normally apply to bulk swaps and convert the illicitly minted Favor into untaxed ETH.
Amount of loss: $ 5,000,000 according to SlowMist.
Loss estimates from the team are -890,874,504.36 pDai, -9,051,537,270.60 PulseX, and -7,409,330,692.99 Pulse.
BetterBank publicly acknowledged the exploit, informing their community that they had identified how the exploit was carried out and were actively assessing the damage. They promised further updates as they worked through the aftermath.
As the day progressed, the incident sparked further analysis and commentary. Chaofan Shou, a blockchain security researcher, posted an initial analysis of the exploit mechanism on Twitter/X at 8:47 PM MDT. Shortly after, Zokyo, the cybersecurity firm that had performed the audit on BetterBank’s smart contract, noticed the exploit and began weighing in. By August 27th, 2025, Zokyo publicly acknowledged that they should have been more thorough in their audit, recognizing that the severity of the issue had not been fully addressed during the review process. This led to BetterBank issuing a public statement later that morning, 7:56 AM MDT, to explain the communication breakdown with Zokyo and their realization of the missed risk.
The incident continued to develop with posts from various industry figures and platforms. Web3IsGoingGreat shared the incident on their platform at 9:02 AM MDT, while Zokyo published a full incident overview at 5:42 AM MDT. Concerns about a potential rug pull emerged in the aftermath, which BetterBank addressed in a public post at 11:05 PM MDT, aiming to reassure the community that the exploit was not a malicious act but rather a vulnerability in the system.
After a few weeks of intense development and troubleshooting, BetterBank successfully completed the process of rebuilding their protocol, addressing the vulnerabilities exposed by the exploit. On August 31st, 2025, BetterBank shared that the protocol was undergoing significant redevelopment and had encountered a delay due to a bug discovered during a further audit by 0xGuard. Despite this setback, BetterBank remained transparent about the progress and the ongoing improvements to the platform. Their efforts were focused on fixing the security flaws and ensuring that the system would be more robust and secure when relaunched.
The moment of recovery came on October 12th, 2025, when BetterBank officially announced its relaunch at 12:00 UTC. This marked the end of the recovery process and the successful return of the platform. The relaunch allowed users to resume normal activities, such as depositing and withdrawing from the Stronghold, staking and unstaking in the Groves, buying and selling FAVOR tokens, and using FAVOR LP as collateral for borrowing. The relaunch was presented as a fresh start, with BetterBank promising that the platform was now stronger and more secure than ever, thanks to weeks of fixes, rigorous audits, and meticulous code fine-tuning.
BetterBank expressed gratitude to their community for their patience and support during the challenging recovery period. The relaunch was not just about restoring the platform but improving it for the long term, ensuring users could engage with the protocol safely and efficiently. The BetterBank team’s determination to rebuild and enhance the platform marked the conclusion of a difficult chapter, with the community’s trust and loyalty being crucial to the platform’s recovery and future growth
The attacker reportedly later returned around $2.7 million of the stolen assets, having cashed out around $1.4 million.
It is unclear if any further actions will be undertaken against the exploiter.
The new BetterBank platform has undergone a significant number of audits, and further vulnerabilities are unlikely.
BetterBank, a decentralized finance platform on PulseChain, suffered a major exploit in August 2025 due to a smart contract vulnerability that allowed an attacker to mint arbitrary Favor tokens. By abusing a flaw in the platform's bonus system and bypassing tax mechanisms using bogus liquidity pools, the attacker drained an estimated $5 million in value. Although the issue had been flagged in a prior audit by cybersecurity firm Zokyo, poor communication and incomplete implementation of the recommended fixes left the exploit path open. Following public acknowledgment, community updates, and scrutiny, BetterBank worked through several delays and audits—ultimately relaunching a fully rebuilt and secured platform on October 12, 2025. The attacker later returned roughly $2.7 million, but it remains unclear if further action will be taken.
HOW COULD THIS HAVE BEEN PREVENTED?
This incident underscores the critical importance of comprehensive communication in blockchain security. Auditors must not only identify risks but ensure their findings are communicated clearly and explicitly to prevent misunderstandings. Clients, on the other hand, must prioritize and implement fixes for identified risks, even if they seem theoretical at first. Ultimately, security is a shared responsibility: while auditors can flag issues and suggest solutions, it is the project's responsibility to apply, verify, and ensure those fixes are in place before deployment to safeguard the platform.
BetterBank exploited, some funds returned - Web3IsGoingGreat (Oct 16)
Web3 Is Great - "BetterBank exploited, some funds returned August 27, 2025" - Twitter/X (Oct 16)
Zokyo.io - "Yesterday, @BetterBank_io was exploited, resulting in the free minting of favor tokens. Note: We flagged the core risks during the audit. Here’s what happened, what was ignored, and what can be learned." - Twitter/X (Oct 16)
BetterBank - "The wait is almost over. We’re officially relaunching this Sunday, 12:00 UTC October 12th." - Twitter/X (Oct 16)
BetterBank - "0xGuard caught a late (but critical) vulnerability... a way to manipulate stale price oracles on our LPs, which could’ve hit the entire lending side. It's a super math-heavy exploit, and they were the first to catch it." - Twitter/X (Oct 16)
Zokyo.io - "we acknowledge our audit should have been more thorough. Our PoC used test ETH (a legitimate token). The same issue could be reproduced with bogus tokens, but we didnt explicitly state that in the PoC, which led to the severity being downgraded." - Twitter/X (Oct 16)
Zokyo.io - "Weve published our full statement on the BetterBank exploit, It includes the audit findings, context, and important lessons for developers and researchers." - Twitter/X (Oct 16)
BetterBank Exploit: Incident Overview - Zokyo.io Blog (Oct 16)
BetterBank.io - "UPDATE BETTERBANKERS We have figured out what the exploit was and how it was done. At the moment were currently assessing the damage and looking for a way to counter it. The intention remains to shield our users from theft. There will be further updates as we move to resolve this." - Twitter/X (Oct 16)
BetterBank.io - "They did talk about the contract in question, but they ran their attack with test ETH, and that attack showed a negative yield. Test ETH should for PulseChain purposes be considered a token that we want, like PLS, PLSX, or PDAI. Not any bogus token that anyone could mint." - Twitter/X (Oct 16)
BetterBank.io - "Do well to visit the community chat to stay updated." - Twitter/X (Oct 16)
BetterBank.io - "Dear Everyone, Unlike most posts from us, this in Nicky speaking, principal founder of BetterBank. I would like to address the audit issue with @zokyo_io" - Twitter/X (Oct 16)
BetterBank.io - "Myth vs Fact Myth: BetterBank pulled a rug. Fact: if it was a rug, why would: . We pause contracts in under few minutes? . Keep the treasury untouched for recovery? . Be working with auditors and Devs on fixes? We didnt rug, we got hacked. And were very sorry it happened, now we focus on rebuilding Better." - Twitter/X (Oct 16)
BetterBank.io - "Its been an eventful few days of rebuilding, so heres where we stand: Weve cut down a lot of contract code with unit tests leaner and more efficient. Token contracts are under strong revision less bots, less wrappers, more handled directly at contract level. Were talking with 4 new auditors (Halborn, Peckshield, CodeSpec, FailSafe) and are talking to Zokyo for a re-audit." - Twitter/X (Oct 16)
shoucccc - "$1M+ was hacked from @BetterBank_io today due to incorrect validation of LPs. Anyone can create an LP on PulseX or even use their own contract with one side as BetterBank's registered FAVOR token and then perform bulk swapping to receive a significant bonus, which can be converted to real money. While pure bulk swapping would lead to significant tax, much higher than the bonus, but since the LP was not created via BetterBank, it is not registered as a pair, and thus, no tax is charged." - Twitter/X (Oct 16)
Exploit Transaction - Otter.Pulsechain.com (Oct 16)
BetterBank.io - "--- Exploit damage: -890,874,504.36 pDai -9,051,537,270.60 PulseX -7,409,330,692.99 Pulse At the time of the theft, that was about $5M We now log a strong "bad debt" in our protocol." - Twitter/X (Oct 16)
Better Bank Homepage (Oct 16)
Better Bank Github (Oct 16)
BetterBank Twitter/X Account (Oct 16)
Zokyo Twitter/X Account (Oct 16)
Zokyo.io Homepage (Oct 16)
