The PHX-WBNB liquidity pool on PancakeSwap was drained of roughly $89,600 in a single-transaction exploit on BNB Chain, according to the blockchain security firm TenArmor.
TenArmor flagged the incident after detecting a suspicious on-chain attack targeting PHX on Binance Smart Chain, estimating the loss at approximately $89.6K. The firm said the attack was not a phishing scheme; one public transaction manipulated the automated market maker’s accounting to extract WBNB from the liquidity pair.
PHX is a low-market-cap token (liquidity pool created roughly ~nine days before recent data), traded primarily on PancakeSwap V2 against WBNB. The exploit executed at block 109472554 and drew on a large flash loan from Lista DAO’s Moolah protocol to fund the manipulation, with hundreds of millions of dollars in WBNB and BTCB cycled through lending venues within the single atomic transaction before being repaid.
The attacker’s net take was modest relative to that borrowed capital, around 156 WBNB or roughly $89,600, once the flash loan was unwound.
How the Exploit Worked
The attacker deployed a parent-and-executor contract stack to run the full attack path in one transaction. The account described a two-phase sequence. First, borrowed liquidity moved WBNB into the PHX-WBNB pair, and a swap routed a large volume of PHX to a fee-exempt owner address, skewing the pair’s balances. A follow-up, non-exempt sell then triggered PHX’s transfer-fee function, in which a pair-side token burn executed first and called the pair’s sync routine before post-fee token amounts were credited back.
That ordering left the pool’s recorded reserves inconsistent with its actual balances—the analysis cited a state where one reserve was reset to 1,000,000 PHX while the WBNB side was left untouched. The mismatch let the next swap calculation release WBNB to the attacker-controlled executor, which then unwound the position and repaid the loan.
The Pattern Is Impossible to Ignore
The mechanism is not new. It closely mirrors a string of BNB Chain exploits in which a token’s custom burn logic desynchronizes an AMM pool’s reserves, and a flash loan amplifies the resulting price distortion into a profitable extraction.
In late June, the AIDC token was drained of about $121,000 through a burn function that removed tokens from the PancakeSwap pool rather than the seller. Days earlier, the OLPC/LABUBU pool lost roughly $1.1 million to a burn-driven reserve mismatch, and the BY token was hit for about $88,400 in a similar drain. Earlier incidents involving Movie Token, SOF, and LAXO followed the same broad template.
The lending infrastructure is also familiar. In May, an SKP-linked exploit that drained roughly $212,000 by moving BSC-USD, BTCB, and SKP through PancakeSwap, Venus, and Lista DAO contracts—the same set of venues the PHX attacker used to source and cycle capital. Flash-loan liquidity from Moolah has become a recurring ingredient across the cluster, including the OCA/USDC pool drain earlier this year.
The common thread is custom token code that interacts unsafely with AMM reserve accounting, particularly fee-on-transfer and burn mechanisms that call synchronization routines at the wrong moment. Once that flaw exists, a flash loan turns a small logical error into a full pool drain within seconds.
PancakeSwap Is Not the Vulnerability
As in the earlier incidents, the flaw sits in the token’s contract rather than in the exchange. In previous drains of this type, PancakeSwap confirmed that its own smart contracts were not compromised, and security researchers traced the root cause to the deployed token’s logic.
The recurring lesson from the cluster is that fee-on-transfer and burn-heavy tokens require rigorous auditing before they are paired on a DEX, because their non-standard transfer behavior can corrupt pool state in ways standard tokens do not. For traders, thinly traded tokens with custom tax or burn mechanics on BSC remain a persistent source of single-transaction losses.
Also Read: Crypto Loses $35M in a Week: BonkDAO, Bonzo Lend, Summer.fi Hacked
