QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$108 000 USD
APRIL 2025
GLOBAL
OPC
DESCRIPTION OF EVENTS
The OPC smart contract was first created on the Binance Smart Chain on March 30th, 2025.
Unfortunately, the logic in the OPC smart contract was backwards, causing the price to increase as more tokens were sold.
The exploit involving the OPC token, which resulted in a loss of approximately $104,000, was caused by a flawed implementation in the smart contract at address 0xa642. Specifically, the vulnerability lies in its custom sell function, identified by selector 0xdb3f7000. When tokens are sold through this function, it not only transfers tokens from the user but also burns a nearly equivalent amount of OPC tokens directly from the liquidity pool (e.g., a Uniswap pair). This unintended burning mechanism reduces the OPC supply in the pool, artificially inflating the token's price with each sale.
Because of this flawed logic, an attacker could repeatedly sell tokens and watch the price of OPC rise rather than fall — the opposite of expected market behavior. This created a feedback loop: the more tokens sold, the more tokens were burned from the pool, and the higher the price climbed. The attacker exploited this behavior to manipulate the price upward during sell operations, then likely swapped the inflated OPC tokens for other assets at a profit. The vulnerability stems from a misunderstanding of how liquidity pools work and the impact of modifying reserves directly, especially through token burning.
TenArmor reports "an approximately loss of $107.5K".
There was widespread analysis among some third parties, however there doesn't appear to be any public presence with an official update from the OPC project.
TenArmor reports that the stolen funds were subsequently deposited in TornadoCash.
There is no indication that any of the funds have been recovered.
It is unclear if any investigation is underway or any recovery in progress.
The OPC smart contract on Binance Smart Chain contained a critical flaw in its sell function that caused the token’s price to rise instead of fall during sales. This backwards logic stemmed from burning OPC tokens directly from the liquidity pool each time tokens were sold, artificially inflating the price with every transaction. An attacker exploited this mechanism to drive up the price and extract inflated profits, ultimately resulting in a loss of approximately $107.5K, according to TenArmor. The stolen funds were later funneled through TornadoCash, with no public updates from the OPC project or signs of recovery or investigation at this time.
TenArmor - "Our system has detected a suspicious attack involving #OPC on #BSC, resulting in an approximately loss of $107.5K. The stolen funds have been deposited into http://Tornado.Cash." - Twitter/X (Aug 12)
Attack Transaction - BSCScan (Aug 12)
smhkptking - "OPC token exploited for $104k. Root cause: contract 0xa642 has a sell function 0xdb3f7000, when selling it burns almost the same amount of OPC tokens from pair and thus drives the price up. The more you sell, the higher price goes." - Twitter/X (Aug 12)
Tikkala Research - "A 3-days OPC contract was attacked, with the attacker gaining about $107k in [one] transaction. The root cause is an unknown selector, 0xdb3f7000 in the contract, which burns tokens from swaps, affecting the K number." - Twitter/X (Aug 12)
BlockChain Security - "root cause: 0xa642e66873111deb830739b90c03fd6981a34332 0xdb3f7000 function" - Twitter/X (Aug 12)
0xEncore - "OPC token exploited for $107.4k. Root cause: when sell tokens, sell function 0xdb3f7000 burns OPC tokens from pair and thus drives the price up. The more you sell, the higher price goes." - Twitter/X (Aug 12)
BlockSec Phalcon - "ALERT! Our systems flagged a suspicious TX on #BSC exploiting price manipulation via burn pair, resulting in $107K loss." - Twitter/X (Aug 12)
OPC Incident Attack Transaction - BlockSec App (Aug 12)
Victim OPC Smart Contract - BSCScan (Aug 12)
Victim OPC Smart Contract Creation - BSCScan (Aug 12)
Victim OPC Smart Contract - TokenView (Aug 12)
