Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$2 157 000 USD

MAY 2025

GLOBAL

MOBIUS DAO

DESCRIPTION OF EVENTS

MobiusDAO (MBU) claims to have created the next-generation reserve currency protocol by integrating algorithmic monetary policies with native liquidity control. Their hybrid model reports to leverage the full capital structure hierarchy to optimize liquidity and ensure long-term protocol health through diversified stablecoin reserves and robust treasury collateral. The protocol is designed to deliver asset-backed stability with highly liquid backing per MBU token and transparent on-chain reserves, using a closed-loop feedback system to mitigate risks.

 

MobiusDAO emphasizes protocol-owned liquidity, controlling over 99% of its liquidity through a bonding mechanism that enables permanent liquidity pools and multiple automated liquidity controls. The dynamic monetary policy reportedly includes a Range Bound Stability (RBS) system that manages supply through automated minting and burning, and offers staking rewards through a "double-rebase" mechanism.

 

The protocol is designed to incentivize liquidity providers (LPs) to stake digital assets in liquidity pools in exchange for MBU tokens, deepening reserves and fostering a sustainable market-making ecosystem. MBU holders can stake tokens for governance rights and compounding rewards, aligned with a token release curve that promotes long-term engagement. Additionally, MobiusDAO introduced bond-structured assets to grow treasury reserves via time-locked deposits, converting short-term liquidity into lasting value and sustaining a deflationary tokenomic framework.

 

According to Rekt News, "MobiusDAO launched on May 8 with little more than a token address, a bare bones website, and some fancy buzz speak of “Dimensional Integration” for DeFi and RWAs."

 

The smart contract reportedly did not have any audits.

 

"The bug? A decimal handling error that turned pennies into quadrillions."

 

Exploit TX: 0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150

 

Blockaid: "The exploit contract calls the deposit function on contract 0x95e92b09b89cf31fa9f1eca4109a85f88eb08531.

 

This function accepts a deposit and mints the equivalent amount of MBU."

 

"The deposit function support USDT and WBNB. If the user had deposited WBNB, the contract calls getBNBPriceInUSDT to get the value of the deposited tokens."

 

"However, this flow has an error - this function returns the amount with decimals (X * 10 ** 18).

 

Yet, after calling to getBNBPriceInUSDT, the contract does this multiplication again - which leads to the caller being minted 10**18 more MBU tokens than they should’ve."

 

"Once the exploit contract had minted their tokens, they used PancakeSwap to trade it for USDT (draining liquidity from the pool and sending the token value to 0 along the way)."

 

QuillAudits: "The attacker was funded with 10BNB through Tornado Cash. The attacker, through their malicious contract, initially called the deposit function on the contract with only 0.001 WBNB, worth about $0.67 at the time of writing. This little deposit helped the attacker to mint over 9.7T tokens."

 

"The deposit function accepts the deposit and mints an equivalent amount of MBU tokens in the sender’s address. In the function, whenever a user deposits WBNB, the function gets the price of BNB to calculate the amount of tokens to transfer."

 

"The price comes in from the function getBNBPriceInUSDT, which returns the price in 18 decimals. The price returned as seen in the above image is ~$656, which is correct.

 

The problem arises as the function returns the value in 18 decimals, the contract multiplies this value again by 10**18, minting an enormous amount of tokens.

 

Once the exploit was done, the attacker sold the tokens at the available PCS liquidity pools, siphoning around $2.15M."

 

Blockaid reports "$2.1M had been drained so far". They show a screenshot with 2157126.179 USDT.

 

Cyvers Alerts reports "over $2.15M".

 

Rekt News calls this a "$2.15 million magic trick".

 

The blockchain reports 2,157,126.179348943736411799 USDT.

 

"MobiusDAO has contacted professional cybersecurity companies and global law enforcement agencies to report the incident. The token is currently under investigation, and the progress of the situation will be announced by the police at the same time."

 

Sources consistently report that funds were brought to TornadoCash after the attack. Rekt News reports "21 neat transfers of 100 BNB each".

 

It appears that Mobius DAO is still attempting to pursue recovery through law enforcement. The attacker brought their funds through TornadoCash, which may make this process difficult.

 

The Mobius DAO protocol is reportedly working on relaunch plans.

 

Explore This Case Further On Our Wiki

MobiusDAO (MBU) claims to have created a next-generation reserve currency protocol featuring algorithmic monetary policy, native liquidity control, and asset-backed stability. Despite promises of innovation—including protocol-owned liquidity, automated supply adjustments, and bond-structured assets—the project launched with minimal infrastructure, no smart contract audits, and vague marketing language. Just days after launch, a critical bug in the contract's handling of decimal values allowed an attacker to mint 10¹⁸ times more MBU tokens than intended from a tiny WBNB deposit. This exploit drained over $2.15 million via PancakeSwap and Tornado Cash, effectively crashing the token. MobiusDAO has since contacted cybersecurity firms and law enforcement, and is reportedly planning a protocol relaunch, though recovery remains uncertain due to the attacker's laundering through Tornado Cash.

Mobius DAO - Rekt (May 13)
Blockaid - "Our exploit detection system had identified multiple malicious transactions targeting Mobius Token ($MBU) contracts. $2.1M had been drained so far." - Twitter/X (May 13)
Cyvers Alerts - "Our system has detected an exploit on Mobius Token smart contracts, draining over $2.15M in Mobius Token ($MBU) on BNB Chain." - Twitter/X (May 13)
Mobius Token (MBU) Versus USDT Trading Pair - Dexscreener (May 13)
Mobius DAO Homepage (May 13)
Mobius DAO Web Application (May 13)
Exploit Transaction With 2,157,126.179348943736411799 USDT - BSCScan (May 13)
@MobiusDAO123 Twitter (May 13)
@MobiusDAO123 Twitter (May 13)
@MobiusDAO123 Twitter (May 13)
MobiusDAO - "MobiusDAO has contacted professional cybersecurity companies and global law enforcement agencies to report the incident. The token is currently under investigation, and the progress of the situation will be announced by the police at the same time." - Twitter/X (May 13)
@MobiusDAO123 Twitter (May 13)
@MobiusDAO123 Twitter (May 13)
@MobiusDAO123 Twitter (May 13)
@MobiusDAO123 Twitter (May 13)
@MobiusDAO123 Twitter (May 13)
@MobiusDAO123 Twitter (May 13)
Mobius Token Exploit Breakdown: $2.1M Lost due to Poor Logic - Quill Audits (May 13)
https://x.com/TenArmorAlert/status/1921474575965065701 (Aug 1)

Sources And Further Reading

More case studies

CoinTelegraph Twitter/X
Phish TELE Fake Token Launch

X3 Unverified BSC Smart Contract
Suspicious Attack Transaction

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.