Mobius Token Exploit Drains $2.15M On BNB Chain Via Mint Bug

On May 11, 2025, at approximately 07:31 UTC, an attacker exploited a critical decimal-handling vulnerability in the Mobius Token (MBU) smart contract on BNB Chain, minting 9.73 quadrillion tokens from a deposit of just 0.001 BNB. The inflated token supply was immediately swapped for approximately $2.15 million in USDT stablecoins, which were then routed through Tornado Cash to obscure the trail. Web3 security firm Cyvers was the first to flag the suspicious transactions. The root cause was a straightforward but devastating mathematical bug in the project's minting function. When the smart contract fetched the price of BNB to calculate how many MBU tokens a depositor should receive, it called a price oracle function that returned the BNB price already multiplied by 10^18 (standard for blockchain decimal precision). However, the minting function then multiplied this value by 10^18 a second time, creating a 1,000,000,000,000,000,000x inflation of the perceived collateral value. This meant a tiny BNB deposit was treated as if it were worth quadrillions, and the contract obediently minted tokens accordingly. The unverified contract at 0x637D8Ce897bb653cb83bA436CDf76bBe158f05B1 on BNB Chain contained this fatal error. The attack was premeditated. The attacker wallet (0xb32a53af96f7735d47f4b76c525bd5eb02b42600 on BNB Chain) was funded via a Tornado Cash deposit on May 4, a full week before the exploit was executed. At 07:31 UTC on May 11, the wallet deployed a rogue contract, and just two minutes later, a second address (0x631adf on BNB Chain) initiated the series of exploit transactions. The attacker deposited 0.001 BNB into the vulnerable minting function, received 9.73 quadrillion MBU tokens, and immediately swapped them on decentralized exchanges for $2.15 million in USDT. The entire exploit — from deployment to cash-out — took less than ten minutes. The Mobius team had not subjected the minting contract to a formal third-party audit prior to the exploit. Security firms including Halborn and CertiK confirmed that a standard code review would have caught the double-multiplication error, as it falls under basic collateral value verification checks. The contract was also unverified on BscScan, meaning its source code was not publicly readable — a significant red flag that users and analysts could have identified before interacting with the protocol. This incident illustrates why users should exercise extreme caution with unaudited DeFi protocols. Before depositing funds, check whether the project's smart contracts are verified on the relevant block explorer (bscscan.com for BNB Chain), whether a reputable security firm has audited the code, and whether the team is publicly identified. Unverified contracts with hidden minting functions are among the most common attack vectors in DeFi. If a protocol cannot provide a public audit report from a recognized firm, the risk of catastrophic loss is significantly elevated.