According to Foresight News , BlockSec detected a suspicious exploit targeting an unknown contract on BSC, potentially involving the LML/USDT staking protocol, resulting in a loss of approximately $950,000.
Although the victim contract is not open source, analysis suggests it may have a pricing design flaw: the claimable rewards appear to be calculated based on the TWAP/snapshot price, and the attacker was able to sell the reward tokens at a manipulated spot price, profiting through price manipulation and reverse swaps. The attacker first inflated the price of LML in the pool through a series of transactions (including a path that set the recipient to address(0)). Then, using a controlled address with previously deposited funds, the attacker initiated a reward claim, thereby gaining direct eligibility to claim the reward during the attack.
