Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/runwaybycburnfunctionlacksaccesscontrol.php}} {{Unattributed Sources}} Binance Smart ChainBYC is a token on the Binance Smart Chain (BSC), created on November 27th, but apparently lacking social media presence or a website. The token is vulnerable to an arbitrary burn attack due to flaws in its transfer function, specifically in the autoBurnLiquidity m..."

2025-01-21T22:35:09Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/runwaybycburnfunctionlacksaccesscontrol.php}} {{Unattributed Sources}} thumb|Binance Smart ChainBYC is a token on the Binance Smart Chain (BSC), created on November 27th, but apparently lacking social media presence or a website. The token is vulnerable to an arbitrary burn attack due to flaws in its transfer function, specifically in the autoBurnLiquidity m..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/runwaybycburnfunctionlacksaccesscontrol.php}}
{{Unattributed Sources}}

[[File:Binancesecurity.jpg|thumb|Binance Smart Chain]]BYC is a token on the Binance Smart Chain (BSC), created on November 27th, but apparently lacking social media presence or a website. The token is vulnerable to an arbitrary burn attack due to flaws in its transfer function, specifically in the autoBurnLiquidity mechanism that lacks access control. This vulnerability allows anyone to burn tokens from liquidity pairs, enabling attackers to profit by manipulating the token's price. The attack, which triggered the burn process and caused price distortion, resulted in approximately $102.4K in losses, as detected by security systems like SlowMist and TenArmorAlert. There does not appear to be a reachable team behind the token to assist any affected holders.<ref name="slowmistteamtwitter-17416" /><ref name="tenarmoralerttwitter-17417" /><ref name="bscscan-17418" /><ref name="tenarmoralerttwitter-17419" /><ref name="bscscan-17420" /><ref name="bscscan-17421" /><ref name="bscscan-17422" /><ref name="slowmistteamtwitter-17423" /><ref name="bscscan-17424" />

== About BYC ==
BYC is a token on the Binance Smart Chain created on November 27th. The token does not appear to have any social media presence or website associated with it.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
A vulnerability in the burn mechanism allowed for easy profit, and was exploited for over $100k.
{| class="wikitable"
|+Key Event Timeline - RunWay (BYC) Burn Function Lacks Access Control
!Date
!Event
!Description
|-
|November 27th, 2024 6:36:24 AM MST
|BYC Token Creation Transacion
|The BYC token is first created on the Binance Smart Chain.
|-
|December 2nd, 2024 5:10:24 PM MST
|Binance Smart Chain Transaction
|The transaction appears on the Binance Smart Chain.
|-
|December 2nd, 2024 5:21:00 PM MST
|TenArmorAlert Tweet
|The TenArmor team posts a tweet about the suspicious attack on #BYC.
|-
|December 2nd, 2024 7:37:00 PM MST
|SlowMist Shares Post
|SlowMist reports on the attack.
|-
|December 2nd, 2024 8:19:00 PM MST
|Phalcon_xyz Posted
|Phalcon_xyz posts an additional analysis of the exploit root cause.
|-
|December 9th, 2024 8:00:00 PM MST
|Weekly Summary Inclusion
|The BYC incident is included in a weekly summary put together by SlowMist.
|}

== Technical Details ==
"This is a classic arbitrary burn vulnerability in the token’s transfer function. The autoBurnLiquidity function lacks access control, allowing anyone to burn tokens from the pair at will—easy profit!"

"It is a price manipulation issue due to the token's flawed mechanism, which automatically burns tokens from pairs once the token balance exceeds a threshold (e.g., lpBurnFrequency). By triggering the burn process, the attacker sandwiched it with swaps, profiting from the price distortion caused by the token burn."

== Total Amount Lost ==
SlowMist - $100k. Phalcon_xyz: $102.4k

The total amount lost has been estimated at $102,000 USD.

== Immediate Reactions ==
"ALERT! Our system detected an attack on the unknown #BYC token on BSC, resulting in ~$100k in losses."

"According to the SlowMist security team’s monitoring, RunWay (BYC) appears to have been attacked on BSC, resulting in a loss of approximately $100K."

The TenArmorAlert "system has detected a suspicious attack involving #BYC on #BSC, resulting in an approximately loss of $102.4K."

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="slowmistteamtwitter-17416">[https://twitter.com/SlowMist_Team/status/1863774608278929503 @SlowMist_Team Twitter] (Accessed Jan 21, 2025)</ref>

<ref name="tenarmoralerttwitter-17417">[https://twitter.com/TenArmorAlert/status/1863740268140191759 @TenArmorAlert Twitter] (Accessed Jan 21, 2025)</ref>

<ref name="bscscan-17418">[https://bscscan.com/tx/0x177b87bd009e3b3aebb11cf2b88efc217d14fc1554a4675ee749eeb527d201ff BNB Smart Chain Transaction Hash (Txhash) Details | BscScan] (Accessed Jan 21, 2025)</ref>

<ref name="tenarmoralerttwitter-17419">[https://twitter.com/TenArmorAlert/status/1863843395250381138 @TenArmorAlert Twitter] (Accessed Jan 21, 2025)</ref>

<ref name="bscscan-17420">[https://bscscan.com/address/0x14cfa851ff34952a223ea7fdf621a05b128411ef BYC exploiter | Address 0x14cfa851ff34952a223ea7fdf621a05b128411ef | BscScan] (Accessed Jan 21, 2025)</ref>

<ref name="bscscan-17421">[https://bscscan.com/token/0x9a69eb74060e2808344ac35bb5825051b89bbe76 RunWay (BYC) Token Tracker | BscScan] (Accessed Jan 21, 2025)</ref>

<ref name="bscscan-17422">[https://bscscan.com/address/0x9a69eb74060e2808344ac35bb5825051b89bbe76 RunWayERC20 | Address 0x9a69eb74060e2808344ac35bb5825051b89bbe76 | BscScan] (Accessed Jan 21, 2025)</ref>

<ref name="slowmistteamtwitter-17423">[https://twitter.com/SlowMist_Team/status/1866316918120182091 @SlowMist_Team Twitter] (Accessed Jan 21, 2025)</ref>

<ref name="bscscan-17424">[https://bscscan.com/tx/0x2ac7f20ae967984d367dbbf5e21239d88db6ffb8f30b80bbe16f2c33db300d53 BNB Smart Chain Transaction Hash (Txhash) Details | BscScan] (Accessed Jan 21, 2025)</ref></references>

RunWay (BYC) Burn Function Lacks Access Control - Revision history