Mobius DAO WBNB Deposit Price Miscalculation Drain

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 10:47, 13 May 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/mobiusdaowbnbdepositpricemiscalculationdrain.php}} {{Unattributed Sources}} thumb|Mobius DAO Logo/HomepageMobiusDAO (MBU) claims to have created a next-generation reserve currency protocol featuring algorithmic monetary policy, native liquidity control, and asset-backed stability. Despite promises of innovation—including protocol-owned liquidity, automated suppl...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Mobius DAO Logo/Homepage

MobiusDAO (MBU) claims to have created a next-generation reserve currency protocol featuring algorithmic monetary policy, native liquidity control, and asset-backed stability. Despite promises of innovation—including protocol-owned liquidity, automated supply adjustments, and bond-structured assets—the project launched with minimal infrastructure, no smart contract audits, and vague marketing language. Just days after launch, a critical bug in the contract's handling of decimal values allowed an attacker to mint 10¹⁸ times more MBU tokens than intended from a tiny WBNB deposit. This exploit drained over $2.15 million via PancakeSwap and Tornado Cash, effectively crashing the token. MobiusDAO has since contacted cybersecurity firms and law enforcement, and is reportedly planning a protocol relaunch, though recovery remains uncertain due to the attacker's laundering through Tornado Cash.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]

About Mobius DAO

MobiusDAO (MBU) claims to have created the next-generation reserve currency protocol by integrating algorithmic monetary policies with native liquidity control. Their hybrid model reports to leverage the full capital structure hierarchy to optimize liquidity and ensure long-term protocol health through diversified stablecoin reserves and robust treasury collateral. The protocol is designed to deliver asset-backed stability with highly liquid backing per MBU token and transparent on-chain reserves, using a closed-loop feedback system to mitigate risks.

MobiusDAO emphasizes protocol-owned liquidity, controlling over 99% of its liquidity through a bonding mechanism that enables permanent liquidity pools and multiple automated liquidity controls. The dynamic monetary policy reportedly includes a Range Bound Stability (RBS) system that manages supply through automated minting and burning, and offers staking rewards through a "double-rebase" mechanism.

The protocol is designed to incentivize liquidity providers (LPs) to stake digital assets in liquidity pools in exchange for MBU tokens, deepening reserves and fostering a sustainable market-making ecosystem. MBU holders can stake tokens for governance rights and compounding rewards, aligned with a token release curve that promotes long-term engagement. Additionally, MobiusDAO introduced bond-structured assets to grow treasury reserves via time-locked deposits, converting short-term liquidity into lasting value and sustaining a deflationary tokenomic framework.

The Reality

According to Rekt News, "MobiusDAO launched on May 8 with little more than a token address, a bare bones website, and some fancy buzz speak of “Dimensional Integration” for DeFi and RWAs."

The smart contract reportedly did not have any audits.

What Happened

"An attacker deposited 0.001 BNB and minted 9.73 quadrillion MBU tokens – enough to drain $2.15 million in actual stablecoins."

Key Event Timeline - Mobius DAO WBNB Deposit Price Miscalculation Drain
Date Event Description
May 11th, 2025 1:33:46 AM MDT BSC Exploit Transaction The exploit transaction on the Binance Smart Chain.
May 11th, 2025 2:05:00 AM MDT Blockaid Twitter/X Report Blockaid reports that a vulnerability in a smart contract's deposit function allowed an attacker to exploit a pricing miscalculation involving WBNB deposits. The contract erroneously multiplied the BNB price in USDT by 10¹⁸ twice, resulting in the minting of 10¹⁸ times more MBU tokens than intended. The attacker then traded the inflated tokens for USDT on PancakeSwap, draining the liquidity pool and collapsing the token’s value, and is now laundering the stolen funds through Tornado Cash.
May 11th, 2025 2:56:00 AM MDT Cyvers Alert Tweet Posted Cyvers Alerts also reported that over $2.15 million in Mobius Token ($MBU) was drained from smart contracts on the BNB Chain due to a targeted exploit. Their system detected the deployment of a malicious contract just two minutes before the attack, which then executed multiple harmful transactions against the victim’s address. The attacker ultimately funneled the stolen funds through Tornado Cash to obscure their trail. According to Rekt News and DexScreener, "the attacker was already dumping tokens until MBU's price flatlined".

Technical Details

"The bug? A decimal handling error that turned pennies into quadrillions."

Exploit TX: 0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150

Blockaid: "The exploit contract calls the deposit function on contract 0x95e92b09b89cf31fa9f1eca4109a85f88eb08531.

This function accepts a deposit and mints the equivalent amount of MBU."

"The deposit function support USDT and WBNB. If the user had deposited WBNB, the contract calls getBNBPriceInUSDT to get the value of the deposited tokens."

"However, this flow has an error - this function returns the amount with decimals (X * 10 ** 18).

Yet, after calling to getBNBPriceInUSDT, the contract does this multiplication again - which leads to the caller being minted 10**18 more MBU tokens than they should’ve."

"Once the exploit contract had minted their tokens, they used PancakeSwap to trade it for USDT (draining liquidity from the pool and sending the token value to 0 along the way)."

QuillAudits: "The attacker was funded with 10BNB through Tornado Cash. The attacker, through their malicious contract, initially called the deposit function on the contract with only 0.001 WBNB, worth about $0.67 at the time of writing. This little deposit helped the attacker to mint over 9.7T tokens."

"The deposit function accepts the deposit and mints an equivalent amount of MBU tokens in the sender’s address. In the function, whenever a user deposits WBNB, the function gets the price of BNB to calculate the amount of tokens to transfer."

"The price comes in from the function getBNBPriceInUSDT, which returns the price in 18 decimals. The price returned as seen in the above image is ~$656, which is correct.

The problem arises as the function returns the value in 18 decimals, the contract multiplies this value again by 10**18, minting an enormous amount of tokens.

Once the exploit was done, the attacker sold the tokens at the available PCS liquidity pools, siphoning around $2.15M."


Total Amount Lost

Blockaid reports "$2.1M had been drained so far". They show a screenshot with 2157126.179 USDT.

Cyvers Alerts reports "over $2.15M".

Rekt News calls this a "$2.15 million magic trick".

The blockchain reports 2,157,126.179348943736411799 USDT.

The total amount lost has been estimated at $2,157,000 USD.

Immediate Reactions

"MobiusDAO has contacted professional cybersecurity companies and global law enforcement agencies to report the incident. The token is currently under investigation, and the progress of the situation will be announced by the police at the same time."

Ultimate Outcome

Sources consistently report that funds were brought to TornadoCash after the attack. Rekt News reports "21 neat transfers of 100 BNB each".

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

It appears that Mobius DAO is still attempting to pursue recovery through law enforcement. The attacker brought their funds through TornadoCash, which may make this process difficult.

The Mobius DAO protocol is reportedly working on relaunch plans.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Mobius DAO - Rekt (Accessed May 13, 2025)
  2. Blockaid - "Our exploit detection system had identified multiple malicious transactions targeting Mobius Token ($MBU) contracts. $2.1M had been drained so far." - Twitter/X (Accessed May 13, 2025)
  3. Cyvers Alerts - "Our system has detected an exploit on Mobius Token smart contracts, draining over $2.15M in Mobius Token ($MBU) on BNB Chain." - Twitter/X (Accessed May 13, 2025)
  4. Mobius Token (MBU) Versus USDT Trading Pair - Dexscreener (Accessed May 13, 2025)
  5. Mobius DAO Homepage (Accessed May 13, 2025)
  6. Mobius DAO Web Application (Accessed May 13, 2025)
  7. Exploit Transaction With 2,157,126.179348943736411799 USDT - BSCScan (Accessed May 13, 2025)
  8. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  9. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  10. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  11. MobiusDAO - "MobiusDAO has contacted professional cybersecurity companies and global law enforcement agencies to report the incident. The token is currently under investigation, and the progress of the situation will be announced by the police at the same time." - Twitter/X (Accessed May 13, 2025)
  12. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  13. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  14. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  15. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  16. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  17. @MobiusDAO123 Twitter (Accessed May 13, 2025)
  18. Mobius Token Exploit Breakdown: $2.1M Lost due to Poor Logic - Quill Audits (Accessed May 13, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Mobius_DAO_WBNB_Deposit_Price_Miscalculation_Drain&oldid=6707"