The Mobius Token Contract recently got exploited, leading to the minting of an enormous amount of tokens on Binance Smart Chain. The exploiter took advantage of how the Mobius contract handles decimals.
The attack happened on 11th May, 2025 at 07:33 UTC due to poor protocol logic. The analysis covers the hack details, how it happened, the attack flow, and the funds lost.
Hack Analysis and Its Impact
The attacker was funded with 10BNB through Tornado Cash. The attacker, through their malicious contract, initially called the deposit function on the contract with only 0.001 WBNB, worth about $0.67 at the time of writing. This little deposit helped the attacker to mint over 9.7T tokens.
The deposit function accepts the deposit and mints an equivalent amount of MBU tokens in the sender’s address. In the function, whenever a user deposits WBNB, the function gets the price of BNB to calculate the amount of tokens to transfer.
The price comes in from the function getBNBPriceInUSDT, which returns the price in 18 decimals. The price returned as seen in the above image is ~$656, which is correct.
The problem arises as the function returns the value in 18 decimals, the contract multiplies this value again by 10**18, minting an enormous amount of tokens.
Once the exploit was done, the attacker sold the tokens at the available PCS liquidity pools, siphoning around $2.15M.
The selling of tokens crashed the token price to 0
Source: https://dexscreener.com/bsc/0xb5252fcef718f8629f81f1dfcff869594ad478c6
Visual breakdown of the attack flow to understand it in a better way:
Relevant Addresses and Transaction
Exploit Transaction: 0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150
Attacker Tornado Cash Fund Transaction: 0x491b6888843f260587e86efaa26b837c6a1c26d17442a526088bb2ec46ee828f
Attacker: 0xB32A53Af96F7735D47F4b76C525BD5Eb02B42600
Attacker’s Contract: 0x631adFF068D484Ce531Fb519Cda4042805521641
Victim Contract: 0x95e92B09b89cF31Fa9F1Eca4109A85F88EB08531
MBU Token Contract: 0x0dfb6ac3a8ea88d058be219066931db2bee9a581
Fund Flow Post Attack
Post-attack, the attacker laundered the funds through Tornado Cash in multiple transactions, sending 100BNB in each transaction.
How the Hack Could Have Been Prevented?
The reason for the hack was the poor protocol logic and lack of validation. The attack could have been prevented by doing simple tests around token minting.
Moreover, there were no limits attached to the token minting itself to further improve the validation.
To sum it up, the protocol should have tested the token minting logic better and had certain caps on it.
Secure Your Smart Contracts with QuillAudits
Secure Your Smart Contracts with QuillAudits
Just like the Mobius Token, even seemingly small logic flaws can lead to massive losses. Take a proactive step towards security. Request a smart contract audit with us and protect your project against potential exploits.
Conclusion
The attack on Mobius Token was due to bad protocol logic. While mistakes around decimal precision is common, protocols should handle them precisely and with more care, attesting the pre-deployment pipeline with robust testing and auditing.
At QuillAudits, with our 7+ years of experience in testing and auditing smart contracts and our multi-layered auditing framework, we ensure that exploits like these can be avoided.
