In August 2025, BetterBank, a lending protocol hosted on Pulsechain, was the victim of a $5 million hack. The attackers exploited vulnerabilities in how the protocol handled reward minting to drain it of value.
Inside the Attack
The BetterBank hack was a liquidity pair manipulation attack. The attacker created fake liquidity pairs and used them to generate rewards for themselves. By taking advantage of this loophole in the protocol’s logic, the attacker had access to unlimited rewards, allowing them to drain $5 million from the vulnerable smart contract.
This attack was possible because of how the protocol implemented its bonus rewards and managed liquidity pairs involving its tokens. Under the bonus minting system, users were rewarded with ESTEEM tokens whenever they purchased FAVOR tokens. Since PulseX allowed anyone to create their own trading pairs, the attackers created fake pairs that combined a worthless token they controlled with a FAVOR one.
When the attackers performed bulk trades, swapping their worthless tokens for FAVOR, they were able to rack up massive bonuses as a result. Additionally, the tax logic in the protocol was designed to only apply to “official” liquidity pairs, allowing the attackers to sidestep fees that would have otherwise made the attack infeasible.
After the attack was detected, BetterBank froze trading on its system and claimed that it had successfully negotiated with the attacker and, as a result, 550M pDAI was returned to the protocol.
Lessons Learned from the Attack
The BetterBank protocol had previously undergone a security audit, which revealed the exact vulnerabilities exploited by the attacker. However, the proof of concept included in the audit report demonstrated the vulnerability using test Ether instead of a worthless token, which caused it to appear financially non-viable for the attacker. As a result, BetterBank made the decision to downgrade the vulnerability from Critical to Low/Informational and elected not to apply the patch code provided by the auditor.
The BetterBank incident demonstrates the importance of both performing smart contract security audits before launching code and ensuring that all identified vulnerabilities are addressed before release. In this case, a miscommunication regarding the severity of vulnerabilities listed in the audit report caused critical issues to be ignored, resulting in a $5 million hack.
Halborn offers a range of consulting services and smart contract audits designed to help DeFi projects avoid and address vulnerabilities in their logic, code, and off-chain processes. Get in touch.