XPlayer (XPL) Dynamic Burn Price Manipulation

The transaction 0x9779341b2b80ba679c83423c93ecfc2ebcec82f9f94c02624f83d8a647ee2e49 on BNB Smart Chain exploited XPlayer’s node distribution burn path to manipulate the XPL/USDT PancakeSwap pool and drain USDT. The attacker used a flash-loan style contract to burn XPL out of the pool, forcing reserves to re-sync at an inflated price, then swapped XPL for USDT and exited with profit.

Attack vector: access-controlled liquidity burn used as a price manipulation primitive. The burn function accepts a caller-provided amount and triggers uniswapV2Pair.sync(), so reserves become an attacker-controlled spot price. Market interactions rely on PancakeSwap’s instantaneous reserves without TWAP protection, allowing a one-transaction pump-and-dump.

Vulnerable contract: NodeDistributePlusProxy at 0xb413271b84902c95f01015d58326dda59a747854, implementation NodeDistributePlus at 0x83d5a47c38fa1b15abfc5327a46c7e67d3b3a5f0 (EIP-1967 implementation slot 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc). The proxy call DynamicBurnPool(string,uint256) (lines 169-183) allows any whitelisted caller to pass an arbitrary _amount and directly invoke IXPL.DynamicBurnPool(_amount) without price/rate bounds. The XPL token contract 0xc2c4ccde8948c693d0b04f8bad461e35a12f20b8 implements DynamicBurnPool(uint256) (lines 568-579), which burns from uniswapV2Pair and calls sync, directly shifting pool reserves.

Flaw description: DynamicBurnPool(string,uint256) only checks whitelist and daily counters, then forwards an attacker-controlled _amount to XPL. XPL’s DynamicBurnPool(uint256) burns liquidity from the pair and forces a reserve sync, which is a direct price oracle manipulation mechanism. This is an external dependency flaw because PancakeSwap reserve-based pricing can be re-shaped mid-transaction; there is no TWAP, price cap, or slippage guard in the burn path. The funds flow confirms a price manipulation: a burn from the pair to the dead address occurs (Transfer topic 0xddf252ad from 0x9b0ff36de2fc477cda8e4468e0067322ae18ce70 to 0x000000000000000000000000000000000000dead, logIndex 0x2a, amount 3,078 XPL), followed by a Swap event (topic 0xd78ad95f, logIndex 0x36) outputting 218,083,490.143452801535655976 USDT to the attacker contract, and finally a USDT transfer to the EOA (logIndex 0x56) of 718,844.117109291479369269 USDT.

Call flow: 0x9df9a1d108ee9c667070514b9a238b724a86094f -> 0x80bd723dc38a07952db40c1c2a45084714399bd9 (attacker contract); 0x80bd... -> 0x8f73b65b4caaf64fba2af91cc5d4a2a1318e5d8c for flashloaned BTCB/WBNB/USDT; 0x80bd... -> vBNB.mint and vUSDT.borrow(61021491.910484910523498141) then vUSDT.repayBorrow; 0x80bd... -> NodeDistributePlusProxy.DynamicBurnPool("2026-1-28", 3078e18); XPL.DynamicBurnPool burns from the Pancake pair and syncs; 0x80bd... -> PancakeSwapRouter.swap to dump XPL for USDT; repay flashloans; transfer USDT profit to the EOA.

Financial impact: the XPL/USDT PancakeSwap pool lost 964,588.312696725589930319 USDT net, while the attacker EOA received 718,844.117109291479369269 USDT (approximately $718,844). The remaining USDT was distributed to protocol fee/treasury addresses per tokenomics. Protocol solvency impact is limited to LPs and tokenomics pools; Venus borrow was fully repaid in-transaction with no bad debt.