LML Staking Protocol Exploited for $950K on BSC, Token Crashes 99.6%

Blockchain security firm PeckShield has flagged a $950,000 exploit targeting the LML staking protocol on Binance Smart Chain.

The attack, confirmed via analysis from BlockSec Phalcon, was a coordinated, multi-protocol flash loan operation executed entirely within a single transaction.

The attack began by aggregating massive flash liquidity from Moolah, Venus, Aave V3, and multiple PancakeSwap and Uniswap V3 pools. Using 309,529,000 USDT, the attacker purchased nearly the entire LML supply from the LML/USDT PancakeSwap pool — and sent the acquired tokens to a burn address (address(0)), permanently removing them from circulation. This skewed the pool’s reserve ratio by approximately 67,347x, creating an extreme price distortion.

With the pool in this manipulated state, the attacker triggered the LML Power reward settlement path 11 times through pre-funded helper addresses that had deposited into the staking contract earlier, making them eligible to claim directly during the attack. Each round converted inflated reward accounting into real tokens at the manipulated price.

The root cause was a critical pricing design flaw in the reward proxy contract (0xae40…02e4). The updatePrice() function consumed the manipulated LP reserves directly as its price input—with no TWAP protection, no external oracle, and no same-block cooldown. This allowed the attacker to claim rewards valued at the artificially inflated price across all 11 settlement rounds.

After completing the reward extractions, the attacker dumped remaining LML tokens back into the pool, repaid all borrowed funds within the same transaction, and transferred 950,370.69 USDT in profit to wallet 0x3c00…fb51.

LML token crashes 99.66%

The impact on the LML token was immediate and severe. According to DexTools data, LML/USD had been trading in the $50–$55 range before the exploit. The attacker’s dump obliterated the token’s value, sending it to $0.1758—a crash of 99.66%. The token had reached a recorded high of $73.62 shortly before the collapse, suggesting the attacker may have artificially inflated the price as part of the manipulation before executing the dump.

On-chain transaction records show the exploiter quickly converted the stolen funds into 450.6 ETH and began routing them through Tornado Cash, the Ethereum-based privacy mixer, in batched deposits ranging from 0.1 to 100 ETH. This laundering pattern mirrors recent high-profile exploits, making fund recovery increasingly unlikely.

BSC staking exploits pile up in 2026

The LML exploit follows a disturbing pattern of staking contract vulnerabilities on BNB Chain. Just days earlier, an attacker drained $133K from a TUR staking contract on BSC using an identical attack vector—manipulating spot prices in a liquidity pool to inflate staking rewards.

Last month, the DBXen staking protocol lost $150K after an attacker exploited an ERC2771 meta-transaction bug to spoof sender identity and claim accumulated rewards. Additionally, in the same month, Venus Protocol suffered a $3.7 million oracle manipulation attack that left $2.15 million in bad debt—another case where thin on-chain liquidity enabled price manipulation.

The use of Tornado Cash for obfuscation continues to be a post-exploit standard despite its ongoing legal challenges. Tornado Cash Co-Founder Roman Storm faces an October retrial on money laundering and sanctions charges in the U.S.

PeckShield’s data shows that crypto-related hacks drained over $52 million in March alone. With staking protocols on BSC repeatedly falling to the same class of spot-price manipulation attacks, developers face mounting pressure to adopt time-weighted average price (TWAP) oracles, external price feeds like Chainlink, and stricter audit standards before going live.