Key Highlights
- Movie Token lost $242K after a double-counting flaw let an attacker manipulate its liquidity pool.
- The exploit used a flash loan and smart contract bug, inflating token price for a 381 WBNB profit.
- Despite attacks, crypto losses dropped to $26.5M in February 2025, signaling stronger sector defenses.
Movie Token (MT) suffered an exploit on March 10, 2026, with about $242,000 drained from its liquidity pool. The incident occurred on the BNB Smart Chain and drew attention to a weakness in how the token handled sell transactions.
Blockchain security firm CertiK confirmed the breach and linked it to a double-counting error in the code. As a result, the attacker manipulated the token’s supply and quietly pulled funds from the pool.
CertiK shared the incident analysis via a post on X, “On 10 March, Movie Token (MT) was exploited, resulting in a loss of ~$242K.” The firm later explained that a flaw in the token’s burn system made the situation worse.
In other words, the system reduced tokens in a way that pushed the price up unnaturally. As a result, the attacker took advantage of the inflated price to make a profit.
Exploit mechanics and attack flow
The attacker started by taking out a flash loan of 358,681.54 WBNB to carry out the operation. They first bought a small amount of Movie Token and added it to the liquidity pool. Then, they executed a series of swaps that bypassed fees and transaction limits, quietly building up millions of tokens without triggering safeguards.
This attack was made possible by a weakness in the smart contract code. The tokens were double-counted in the swap and the burn tracker. When the burn function was executed, it directly removed tokens from the liquidity pool. This caused the price of the token to go up, and the attacker was able to make money.
After increasing the price of the token, the attacker exchanged their Movie Tokens for WBNB. This was how they made money from the attack. After paying back the flash loan, they were left with a profit of 381.7468 WBNB.
The attacker then went through a series of transactions, converting the money into USDC, then Ethereum, and finally converting it into DAI. Finally, they used Railgun to make it difficult to trace the money.
Root cause and industry context
The root of the exploit is traced back to the poor design of the smart contract. In the first place, the sell function of the token did not keep track of the transactions. On the other hand, the burn function ended up removing the tokens from the liquidity pool.
However, the wider crypto security picture has shown signs of improvement. PeckShield reported losses of about $26.5 million in February 2025, a sharp drop from the previous year. The figure also reflects a 69% decline compared to January, pointing to stronger protections across the sector.
Still, risks remain across decentralized finance. Targeted attacks continue to focus on weak points in protocols. In particular, price feed manipulation and cross-chain bridge issues stand out as ongoing concerns. As a result, developers face growing pressure to improve code quality and carry out thorough security checks.
Also Read: UXLINK Hacker Converts 5,496 ETH to 11M DAI After $44M Breach
