Key Highlights
- $133K lost on BSC Stake exploit due to manipulated TUR token prices in the TUR-NOBEL pool.
- DeFi rewards using live DEX prices are vulnerable, letting attackers inflate payouts instantly.
- Past BSC hacks show low-liquidity pools and weak oracles create repeated exploitable risks.
A sudden loss of $133,000 has hit Binance Smart Chain (BSC), now known as BNB Chain, users after an advanced attack occurred on the Stake contract. The suspicious activities were quickly identified by BlockSec Phalcon, who flagged them immediately.
As per the report, the hacker manipulated the TUR token price in the TUR-NOBEL pool. The hacker raised the spot price of the token and then staked it to gain an amplified reward.
“Amplified rewards were claimed via referred accounts, draining all TUR from the contract,” BlockSec Phalcon reported. The attacker then swapped stolen TUR for USDT, leaving the contract empty. Key addresses involved include 0xC9..F692 and several referral accounts.
The vulnerability of the exploit is a common DeFi vulnerability in that it utilized the real-time prices of the decentralized exchange without any form of protection. The contract utilized the spot price of the TUR-NOBEL pool for the reward computation. It did not have any form of protection, such as a time-weighted average or any external oracle.
This meant that the attacker had the ability to inflate the rewards and then instantly claim them. In the transaction history, there are multiple instant claims made by the attacker, indicating that the attack was systematic and the price had not normalized yet. One of the transactions indicated that the attacker had tested the limits of the system but had been unable to proceed with the theft.
How price manipulation drives DeFi exploits
Many DeFi platforms, especially smaller staking or yield farms, get token prices straight from liquidity pools. This approach saves on transaction costs but can be risky in pools with low liquidity or when flash loans are used. Attackers can borrow large amounts temporarily, shift pool balances, and manipulate reward or loan calculations. Once the pool returns to normal, they cash out with a profit.
BNB Chain has seen similar attacks before. In 2025, the TOKENbnb contract lost $3,000 when flawed reward logic allowed price manipulation. D3X AI suffered a $158,900 loss for relying on a single spot price. Venus Protocol faced over $3.7 million in losses after attackers manipulated TWAP oracles using large token holdings.
The broader DeFi risk landscape
BNB Chain remains popular because of its low fees and fast transactions, but repeated exploits highlight ongoing weaknesses. Problems like flawed reward systems, reliance on live token prices, and weak access controls leave platforms vulnerable.
Developers need stronger safeguards, such as TWAP oracles, external price feeds, and thorough audits. Investors should also be careful when using smaller staking pools.
Also Read: Brazil Targets Crime With Crypto Law as Bitcoin Reserve Looms
