Key Highlights
- Hackers drained $438K from SOF and LAXO in Feb 2026 by exploiting a burn logic flaw on BNB Smart Chain.
- Flash loans let attackers manipulate token prices, turning tiny mining rewards into millions in BSC-USD profits.
- Copycat attacks followed quickly; even small loopholes in burn mechanics can lead to massive DeFi losses.
Hackers hit the BNB Smart Chain hard in February 2026, stealing more than $438,000 from SOF and LAXO tokens. The first attack happened on February 14, and the second followed on February 22, according to a report from CertiK.
As per the Incident Analysis report, both attacks took advantage of a glitch in the tokens’ burn system. This glitch let hackers artificially pump up the token prices in just one transaction, and allowed them to manipulate the liquidity pools and cash out huge amounts of BSC-USD with almost no resistance.
CertiK Alert confirmed on X, “On 14 February and 22 February 2026, SOF and LAXO tokens were exploited, resulting in losses of ~$248K and ~$190K respectively, due to their burn logic.” The attackers used flash loans, drained liquidity pools, repaid borrowed funds, and kept the difference. Moreover, copycat exploiters quickly followed the first LAXO breach.
How the SOF exploit unfolded
The SOF hacker started by claiming 875 tokens from mining rewards. But the real attack came afterward. They took out multiple flash loans worth over $590 million in assets and swapped 313 million BSC-USD for just under a million SOF tokens.
Instead of keeping the tokens, the hacker sent them to the mining contract, which skipped fees. This left the pool with only 787 SOF tokens but still over 313 million BSC-USD.
Next, the attacker sold the 875 SOF reward tokens back into the pool. The contract burned some tokens and updated the balances before figuring out the payout. This made the system think the remaining tokens were worth much more than they really were.
In the end, those 875 tokens were enough to grab the entire 313 million BSC-USD from the pool. The hacker paid back all flash loans and pocketed 225,936 BSC-USD in profit. They also moved some funds to FixedFloat and sent 20 BNB through Tornado Cash.
LAXO attack and rapid copycats
The LAXO attack worked in a similar way. The first hacker borrowed 350,000 BSC-USD using a flash loan and swapped it for more than 43 million LAXO tokens.
Using clever tricks and fee exemptions on PancakeSwap, the attacker moved the tokens around without losing much to fees. Then, the contract burned over 41 million LAXO before figuring out how much BSC-USD to return. This sudden burn slashed the token supply and made the price skyrocket instantly.
After paying back the flash loan and a small fee, the hacker walked away with 137,320 BSC-USD in profit. Interestingly, within just 13 minutes, two more attackers spotted the same flaw and used it themselves. They earned smaller amounts, though one even had to give a big MEV bribe.
The SOF and LAXO exploits show how small flaws in burn logic can be amplified by flash loans into major DeFi losses within a single transaction. They also underscore how quickly attackers replicate vulnerabilities, making robust smart contract design and real-time monitoring critical.
Also Read: XRP Ledger Averts $80B Critical Hack as AI Uncovers Major Flaw
