ACB Staking Reward Manipulation Spot Price Oracle Exploit
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
ACB is a smart contract on the Binance Smart Chain, launched on March 14th, 2025, with a vulnerability in its staking system. The flaw stemmed from the buyMachine function, which calculated rewards based on the manipulable spot price of ACB from the ACB/USDT pair. An attacker exploited this by inflating the token price, staking to receive excessive rewards, and repeatedly claiming and swapping them for profit. According to Blockaid, the exploit involved abusing the airdrop mechanism, and reported losses range from $22,804 (SlowMist) to $84,100 (TenArmor). The identity of the contract operators remains unknown, and the contract appears to still be active without a confirmed resolution.[1][2][3][4][5][6][7][8]
About ACB
ACB is a smart contract on the Binance Smart Chain. It was first launched on March 14th, 2025.
The Reality
The staking system of ACB had a vulnerability.
What Happened
An attacker exploited ACB’s staking system by manipulating the ACB/USDT spot price, enabling them to earn inflated rewards and repeatedly profit through reward claims and token swaps.
| Date | Event | Description |
|---|---|---|
| March 14th, 2025 4:34:46 AM MDT | ACB Smart Contract Created | The ACB smart contract on the Binance Smart Chain is launched. |
| April 22nd, 2025 12:19:28 PM MDT | Exploit Smart Contract Created | The smart contract related to the exploit is first created. |
| April 23rd, 2025 11:38:17 AM MDT | Reported Exploit Transaction | The exploit transaction which manipulates the price, as supplied by TenArmor. |
| April 23rd, 2025 2:20:00 PM MDT | Blockaid Detects Exploit | Blockaid reports detecting the exploit on BSC. They report that 60k was exploited. |
| April 23rd, 2025 9:02:00 PM MDT | SlowMist Reports Suspicion | SlowMist posts on Twitter/X that they suspect suspicious activity related to the ACB smart contract on BSC. |
| April 24th, 2025 2:38:00 AM MDT | TenArmor Analysis Tweet | TenArmor publishes an analysis of the exploit on Twitter/X. |
Technical Details
The underlying issue lies in the buyMachine function within ACB’s staking contracts, which determines rewards based on the spot price of the ACB token from the ACB/USDT trading pair.
The attacker initially manipulated the ACB token price and executed a staking transaction, resulting in an unusually large reward. According to Blockaid, "[t]he vulnerability allowed the attacker to claim an airdrop multiple times to drain the airdrop machine."
Following this, the attacker repeatedly claimed rewards in subsequent transactions and used the swapTo function to exchange the reward tokens back into ACB, ultimately extracting value from the ACB/USDT pool.
Total Amount Lost
Blockaid reported losses at 60k. SlowMist reported $22,804. TenArmor reports $84.1k.
The total amount lost has been estimated at $84,000 USD.
Immediate Reactions
"According to the SlowMist MistEye security monitoring system, ACB appears to have been attacked on BSC, resulting in a loss of approximately $22,000."
Ultimate Outcome
It is unclear who operates the ACB smart contract, and whether anything was done to resolve the issue.
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
The ACB smart contract appears to continue to operate.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist - "We detected potential suspicious activity related to $ACB. As always, stay vigilant!" - Twitter/X (Accessed May 26, 2025)
- ↑ ACB Smart Contract - BSCScan (Accessed May 26, 2025)
- ↑ Transaction Creating ACB Smart Contract - BSCScan (Accessed May 26, 2025)
- ↑ Creation of Smart Contract - BSCScan (Accessed May 26, 2025)
- ↑ TenArmorAlert - "Our system has detected a suspicious price manipulation attack involving #ACB on #BSC, resulting in an approximately loss of $84.1K." - Twitter/X (Accessed May 26, 2025)
- ↑ Exploit Transaction By TenArmor - BSCScan (Accessed May 26, 2025)
- ↑ ACB Price - ApeSpace (Accessed May 26, 2025)
- ↑ Blockaid - "Our detection system has detected an ongoing exploit on BNB. 60k USD already drained." - Twitter/X (Accessed May 26, 2025)