Data: The USDC-OCA liquidity pool on the BSC chain was attacked, and hackers exploited a deflation mechanism vulnerability to steal $422,000

According to BlockSec Phalcon monitoring, an unknown USDC-OCA liquidity pool on the BSC chain was attacked, resulting in approximately 422,000 USDC being withdrawn.

The attacker exploited a deflationary sellOCA() logic vulnerability of the OCA token, which allowed them to remove an equivalent amount of OCA from the liquidity pool each time they called the swap OCA token, artificially raising the token price within the pool.

The attack was completed through three transactions: the first executed the attack operation, while the latter two were mainly used to pay additional block builder bribes. The attacker paid a total of approximately 43 BNB plus 69 BNB to 48club-puissant-builder, with an estimated profit of around $340,000. Another transaction in the same block failed at position 52, suspected to have been front-run by the attacker.