Mobius Token Exploit Breakdown: $2.1M Lost due to Poor Logic
The Mobius Token Contract recently got exploited, leading to the minting of an enormous amount of tokens on Binance Smart Chain. The exploiter took advantage of how the Mobius contract handles decimals.
The attack happened on 11th May, 2025 at 07:33 UTC due to poor protocol logic. The analysis covers the hack details, how it happened, the attack flow, and the funds lost.
Hack Analysis and Its Impact
The attacker was funded with 10BNB through Tornado Cash. The attacker, through their malicious contract, initially called the deposit function on the contract with only 0.001 WBNB, worth about $0.67 at the time of writing. This little deposit helped the attacker to mint over 9.7T tokens.
The deposit function accepts the deposit and mints an equivalent amount of MBU tokens in the sender’s address. In the function, whenever a user deposits WBNB, the function gets the price of BNB to calculate the amount of tokens to transfer.
The price comes in from the function getBNBPriceInUSDT, which returns the price in 18 decimals. The price returned as seen in the above image is ~$656, which is correct.
The problem arises as the function returns the value in 18 decimals, the contract multiplies this value again by 10**18, minting an enormous amount of tokens.
Once the exploit was done, the attacker sold the tokens at the available PCS liquidity pools, siphoning around $2.15M.
Visual breakdown of the attack flow to understand it in a better way:
How the Hack Could Have Been Prevented?
$2.1 Million vanished from Mobius Token due to a simple mistake. Don’t let the same happen to you. We’ve dissected exactly how this exploit unfolded, revealing the vulnerable logic.
Read the Full Breakdown of this exploit
The attack on Mobius Token was due to bad protocol logic. While mistakes around decimal precision is common, protocols should handle them precisely and with more care, attesting the pre-deployment pipeline with robust testing and auditing.
At QuillAudits, with our 7+ years of experience in testing and auditing smart contracts and our multi-layered auditing framework, we ensure that exploits like these can be avoided.
