Key Highlights
PeckShield flagged a $950K exploit on the LML staking protocol on Binance Smart Chain (BSC).
LML token crashed 99.6% on PancakeSwap, dropping from approximately $50 to $0.1758 USDT, according to DexTools chart data.
The exploiter converted stolen funds to 450.6 ETH and routed them into Tornado Cash across multiple deposits ranging from 0.1 to 100 ETH each.
Blockchain security firm PeckShield has flagged a $950,000 exploit targeting the LML staking protocol on Binance Smart Chain. The attack, confirmed via analysis from BlockSec Phalcon, involved a classic price manipulation strategy targeting the protocol’s vulnerable spot-price dependency.
The attacker manipulated the LML token price by executing large swaps on PancakeSwap, artificially inflating its value. Once the token price was pumped, the attacker staked LML to claim amplified rewards at the manipulated snapshot price. The rewards were then sold at a higher spot price, draining the staking contract before the pool could recalibrate. This left genuine LML holders exposed to devastating losses.
LML Price Crash
The impact on the LML token was immediate and severe. According to DexTools data, LML/USD had been trading in the $50–$55 range before the exploit. The attacker’s dump obliterated the token’s value, sending it to $0.1758—a crash of 99.66%. The token had reached a recorded high of $73.62 shortly before the collapse, suggesting the attacker may have artificially inflated the price as part of the manipulation before executing the dump.
On-chain transaction records show the exploiter quickly converted the stolen funds into 450.6 ETH and began routing them through Tornado Cash, the Ethereum-based privacy mixer, in batched deposits ranging from 0.1 to 100 ETH. This laundering pattern mirrors recent high-profile exploits, making fund recovery increasingly unlikely.
The LML exploit follows a disturbing pattern of staking contract vulnerabilities on BNB Chain. Just days earlier, an attacker drained $133K from a TUR staking contract on BSC using an identical attack vector—manipulating spot prices in a liquidity pool to inflate staking rewards.
Earlier this month, the DBXen staking protocol lost $150K after an attacker exploited an ERC2771 meta-transaction bug to spoof sender identity and claim accumulated rewards. And in March, Venus Protocol suffered a $3.7 million oracle manipulation attack that left $2.15 million in bad debt—another case where thin on-chain liquidity enabled price manipulation.
The use of Tornado Cash for obfuscation continues to be a post-exploit standard despite its ongoing legal challenges. Tornado Cash co-founder Roman Storm faces an October retrial on money laundering and sanctions charges in the U.S.
PeckShield’s data shows that crypto-related hacks drained over $52 million in March alone. With staking protocols on BSC repeatedly falling to the same class of spot-price manipulation attacks, developers face mounting pressure to adopt time-weighted average price (TWAP) oracles, external price feeds like Chainlink, and stricter audit standards before going live.
Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
