An attacker exploited a vulnerability in a liquidity pool holding CUT tokens, draining over $1.4 million worth of Binance-Pegged Tether (BSC-USD) on September 10, according to blockchain security firm CertiK.
The attack leveraged an unverified contract tied to the CUT token contract to set a “future yield” parameter. This unverified contract enabled the attacker to drain BSC-USD from the pool through unknown means, raising alarms about the risks of such unverified contracts.
CertiK reported the incident on X (formerly Twitter), specifying that the exploited CUT token is located at an address ending in 36a7 on the BNB Smart Chain. This token is unrelated to the Crypto Unity project, which shares the CUT ticker but has a different address. The compromised liquidity pool was part of PancakeSwap, a popular decentralized exchange, but no other pools on PancakeSwap were reportedly affected.
Blockchain data revealed that the attacker conducted four separate transactions, successfully withdrawing $1,448,974 from the pool without any prior deposits or ownership of liquidity provider tokens, suggesting the transactions were not legitimate withdrawals. In each case, the attacker used a function named “0x7a50b2b8,” which does not exist in the CUT token contract, indicating the use of another function, ILPFutureYieldContract(), to execute the exploit via a separate, unverified contract.
Exploits like this are a common method for stealing funds in the Web3 space. Just recently, $25 million was lost in the Penpie DeFi protocol exploit, and $10 million was drained from the Ronin network’s bridge. In this incident, CUT liquidity providers suffered a collective loss of $1.4 million due to the security breach.