BNB worth $226K lost! How BFB token’s safety protocol became its own worst enemy
What caused the price-defense mechanism of BFB to turn into the protocol's greatest flaw?
An exploit targeted the BFB token’s faulty price-defense mechanism rather than the PancakeSwap liquidity pool itself.
Investigators traced the attack to a logical flaw in BFB’s price-defense mechanism on BNB Chain. The attacker first funded gas fees with assets routed through Railgun, a privacy protocol that obscures transaction origins.

Then, by repeatedly using zero-value transferFrom() calls to trigger the _priceDeflPool() function with a flash loan, the attacker burned 5% of the BFB tokens in the liquidity pool. This was done approximately 151 times.
In each iteration, a zero-value transferFrom() call between externally owned accounts (EOAs) triggered the _priceDeflPool() function. This caused the contract to burn 5% of the BFB tokens stored in the PancakeSwap liquidity pool and immediately call sync() to update the pool’s reserves.
How did the attacker drain the pool?
Here, after the BFB reserve was nearly exhausted, the attacker consumed approximately 396.43 Binance [BNB] (roughly $226,000) by exchanging a small amount of BFB for nearly all the BNB in the pool.

The attacker later converted the stolen BFB into BNB and left the funds in wallet 0x3BFA…6b0F without moving them.
Investigators identified the logical flaw in BFBToken’s price-defense mechanism as the root cause. They continue monitoring the wallet for any outgoing transfers.
The attacker also combined several techniques, including liquidity pool draining, reserve manipulation, Automated Market Maker (AMM) price manipulation, flash loans, logic exploitation, zero-value transaction abuse, repeated execution, and Railgun funding.
Alarming rise in attacks
This coincided with TRM Labs data revealing a record 207 security breaches in the first half of 2026.

Even so, total losses fell sharply to $972 million, less than half the $2.3 billion stolen during the same period in 2025.
The attack also followed Polymarket’s recent phishing incident, where attackers compromised the frontend and manipulated what users viewed and signed.
Summer.fi’s post-mortem also showed attackers spent about three months preparing the $6.04 million Lazy Summer Protocol exploit before executing it.
Final Summary
- 396.43 BNB was drained by the attacker in exchange for a small amount of BFB.
- A logical error in BFBToken’s price-defense mechanism was the root cause of this attack.