In another attempt at crypto fund drains, an attacker has pulled nearly $422,000 in Circle’s USDC stablecoin from an unknown USDC‑OCA liquidity pool. Blockchain investigator BlockSec Phalcon reported a suspicious activity on the USDC‑OCA liquidity pool located on Binance Smart Chain (BSC).
Attacker exploits vulnerability in OCA’s tokenomics
OCA is a deflationary crypto token on BSC, where a portion of the token gets burned when transfers or sales happen. As it is well known, when a token gets burned, the number of tokens reduces and the price rises over time.
The attacker exploited a vulnerability in OCA’s deflationary mechanism called the sellOCA() function. This function handles token sales, swaps, and burns or removes tokens from liquidity pools. When the bad actor exploited the deflationary logic containing flaws, they artificially inflated the token’s on-pair price and drained $422,000 in USDC from the liquidity pool.
As per the investigation, the exploit unfolded in three transactions in a single block. The first transaction is the main exploit, and in the next two steps, they largely paid bribes to miners (48club‑puissant‑builder), which is roughly equal to 112 BNB. The attacker gained the remaining $340,000 in profit.
As the attacker placed the transaction early in the block, users could not initiate any transactions in the same block because the required conditions had already changed.
“Another transaction in the same block failed at position 52, likely being frontrun by the attacker”, read an X post by blockchain investigator.
Crypto fund exploits: A recurring threat?
Scams and exploits are nothing new in the industry. Since the beginning of this year, the industry has seen widespread on-chain hacks, liquidity pool fund drains, and more. The Tron network has witnessed over 80% of fund outflows to centralized exchanges, all related to scams, according to BlockSec Phalcon. The same platform has reported illicit fund flows from TG Guarantee, an illicit marketplace, to major centralized exchanges like OKX, Binance, and HTX.
Apart from all these miseries, the recent list of hacks includes SagaEVM blockchain exploit, MakinaFi hack, $1.4 million loss due to TMXTribe breach, and the Trust Wallet hack.
