QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$612 000 USD
JULY 2025
GLOBAL
NONE
DESCRIPTION OF EVENTS
An unverified contract was created on July 21st, 2025. Limited information is known about this contract or it's creator.
The smart contract contained a vulnerability which allowed tokens to be drained from users who had granted the contract permissions.
The exploit targeting the Binance Smart Chain (BSC) involves a smart contract at address 0x16D7..., which lacks adequate access control on a specific function: 0xf8c03cc4(). This function was improperly exposed, allowing anyone to invoke it and trigger token swaps on behalf of users who had previously approved the contract to spend their tokens.
The attacker exploited this vulnerability by identifying externally owned accounts (EOAs) that had given token approvals to the contract—likely in anticipation of a legitimate service or interaction. Using the 0xf8c03cc4() function, the attacker repeatedly drained these tokens by swapping them through manipulated or malicious liquidity pools (e.g., fake PancakeSwap pools) with inflated exchange rates, maximizing the value extracted per transaction. One example involved draining Wrapped BNB (WBNB), while another involved TA tokens, both via pools under the attacker's control.
This attack affected a wide range of TrustaLabs token holders and led to an estimated total loss of around $615,000. The victims were primarily users who had unknowingly granted token approvals to the vulnerable contract.
Attack Transactions: 0x960f3fbbe53b80bc306a64ad33d16dd73bfc164c787114d57cfe0080b5c10b08 0xc3745e4f08bcccaf3efe584a9408d77d675cb996151735c8deaff34997c3a10e 0xb92d3594b818470cc3f6c03eff4a9c5704d87df9749557336545c39c7b2bfed9
Hackenclub reported the losses as $615k. They reported that loss transactions include 0x960f for $280k, and 0xc374 for $335k. TenArmor reported the loss total as $610k, from 3 transactions.
Reports about the exploit were put together and published by HackenClub and TenArmor.
It appears that the vulnerable contract caused damage far beyond it's initial purpose. It's unclear if any recovery was made or any actions were undertaken to resolve the vulnerability.
There is no indication that any funds were recovered from the incident.
Investigation may continue for affected users.
An unverified smart contract was deployed on the Binance Smart Chain (BSC) at address 0x16D7..., containing a critical vulnerability in its 0xf8c03cc4() function. Due to a lack of proper access controls, the function could be called by anyone to initiate token swaps using assets from users who had granted the contract prior approvals. The attacker exploited this flaw by draining tokens—such as WBNB and TA—from unsuspecting users, swapping them through malicious or manipulated liquidity pools at inflated rates. This led to losses totaling approximately $615,000, with notable attack transactions including 0x960f, 0xc374, and 0xb92d. The victims were largely TrustaLabs token holders, and the exploit was reported by both HackenClub and TenArmor. No fund recovery has been reported, and the contract remains a cautionary example of the risks of approving unverified contracts.
TenArmorAlert - "It appears that the 0xf8c03cc4() function of the contract 0x16d7 lacks proper access control and swaps specified tokens on unverified pairs from the users who have granted approvals to this contract." - Twitter/X (Jul 23)
First Attack Transaction - BSCScan (Jul 23)
Second Attack Transaction - BSCScan (Jul 23)
Third Attack Transaction - BSCScan (Jul 23)
Hacken Club - "A large-scale exploit has impacted a number of EOAs on BNB Chain, with many @TrustaLabs holders among the victims." - Twitter/X (Jul 23)
@belman_jen36046 Twitter (Jul 23)
The Unverified Contract - BSCScan (Jul 23)
The Unverified Contract Creation Transaction - BSCScan (Jul 23)
