AIRWA Access Control Public Burn Rate Function Exploited

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Binance Security Image

The $AIRWA token on Binance Smart Chain was exploited due to a critical vulnerability in its smart contract. Launched just a day earlier, the contract lacked access control on its setBurnRate() function, allowing anyone to change the token’s burn rate. The attacker exploited this flaw to manipulate the tokenomics and trade ~12 AIRWA for ~57 BNB (worth approximately $33.6K). The project has not issued any public response, and there is no indication of recovery efforts. The stolen funds appear to be permanently lost.[1][2][3][4][5][6][7][8][9][10][11]

About AIRWA Token

The AIRWA smart contract/token was created in the morning of April 3rd, 2025.

The Reality

Unfortunately, the contract was launched with a lack of access control on the setBurnRate function, allowing funds to be drained.

What Happened

The $AIRWA token was exploited due to a missing access control on the setBurnRate() function, allowing an attacker to manipulate tokenomics and steal approximately $33.6K in BNB.

Key Event Timeline - AIRWA Access Control Public Burn Rate Function Exploited
Date Event Description
April 3rd, 2025 10:12:26 AM MDT AIRWA Contract Created The AIRWA smart contract was first created.
April 3rd, 2025 8:33:05 PM MDT Attack Transaction Mined The attack transaction is accepted to be processed on the Binance Smart Chain.
April 4th, 2025 2:14:00 AM MDT CertiK Alert Posted CertiK posts an alert on Twitter/X with details of the exploit.
April 4th, 2025 3:15:00 AM MDT TenArmor Posts Announcement TenArmor posts an update regarding a suspicious attack transaction suspected to be related to AIRWA.

Technical Details

The exploit of the $AIRWA token on the Binance Smart Chain (BSC) on April 4th stemmed from a critical access control vulnerability in the token's smart contract. Specifically, the contract exposed a public setBurnRate() function, which allowed any user to arbitrarily modify the burn rate of the token — a parameter that controls how much of the token is destroyed or removed from circulation during transfers or conversions.

The attacker exploited this flaw by calling setBurnRate() and setting the burn rate to a maliciously high or strategic value. This manipulation altered the internal tokenomics, allowing the attacker to trade a very small amount of $AIRWA (about 12 AIRWA tokens) and extract a disproportionately large amount of BNB — roughly 57 BNB, worth around $34,000 at the time. Because this function should have been restricted to the contract owner or admin, the lack of proper access control was the root cause of the vulnerability.

The attack involved three key addresses:

Attacker’s wallet: 0x70f0406e0A50C53304194B2668Ec853D664a3D9C

Attack contract: 0x2a011580f1b1533006967bd6dc63af7ae5c82363

Targeted AIRWA contract (non-open source): 0x3af7da38c9f68df9549ce1980eef4ac6b635223a

Total Amount Lost

TenArmor has reported the amount lost as $33.6k USD.

The total amount lost has been estimated at $34,000 USD.

Immediate Reactions

The incident was reported by third parties such as TenArmor, CertiK, and GoPlus. However, there is no indication that this project has issued any response.

Ultimate Outcome

There were some public news reports. There is no indication of any investigation or recovery effort by the project.

Total Amount Recovered

There is no indication that any funds have been recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

The funds appear to be permanently gone.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "Our system has detected a suspicious attack involving #AIRWA on #BSC, resulting in an approximately loss of $33.6K. A Rug or a simple access control issue?" - Twitter/X (Accessed Aug 12, 2025)
  2. Attack Transaction - BSCScan (Accessed Aug 12, 2025)
  3. The AIRWA Exploiter - BSCScan (Accessed Aug 12, 2025)
  4. GoPlusZH - "On April 4, an attack on $AIRWA on BSC resulted in a loss of 56.73 $BNB (~$34K). The attack was due to an access control vulnerability in $AIRWA's setBurnRate() function, which allowed the hacker to modify system parameters and exchange ~12 $AIRWA for ~57 $BNB." - Twitter/X (Accessed Aug 12, 2025)
  5. The AIRWA contract was exploited by attackers, resulting in a loss of approximately $34,000 - Chain Catcher (Accessed Aug 12, 2025)
  6. CertiK - "This morning AIRWA on BSC was exploited for ~$34k. The contract has a public setBurnRate() function which the attacker changed to burn AIRWA tokens and profit." - Twitter/X (Accessed Aug 12, 2025)
  7. AIRWA Suffers $34,000 Loss in BSC Network Attack - Binance Square (Accessed Aug 12, 2025)
  8. The AIRWA contract was exploited by attackers, resulting in a loss of approximately $34,000 - BitGet (Accessed Aug 12, 2025)
  9. AIRWA Contract - BSCScan (Accessed Aug 12, 2025)
  10. AIRWA Contract Creation - BSCScan (Accessed Aug 12, 2025)
  11. AIRWA PancakeSwap Contract - BSCScan (Accessed Aug 12, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=AIRWA_Access_Control_Public_Burn_Rate_Function_Exploited&oldid=6882"