In May 2025, the BNB-based Mobius Token was the victim of a $2.15 million hack. The attacker took advantage of a vulnerability in the project’s smart contract to mint unauthorized tokens and drain value from the protocol’s smart contract.
Inside the Attack
The root cause of the Mobius hack was a mathematical bug in the project’s minting function. When fetching price data for the value of BNB, the smart contract used a function that returned price data after multiplying it by 10^18. However, the code multiplied the value by 10^18 again, massively inflating its perceived value. As a result, the collateral provided when minting tokens was overvalued, allowing far too many tokens to be created.
With the ability to create large volumes of Mobius (MBU) tokens out of thin air, an attacker can sell these tokens to make a profit at the expense of the project and legitimate token holders. This is what allowed the Mobius hacker to drain millions from the project’s smart contract.
The attacker who exploited the Mobius protocol deployed a malicious smart contract to BNB Chain and initiated their attack moments later. Through a series of malicious transactions, they minted an estimated 9.73 quadrillion MBU while depositing only 0.01 BNB in the contract.
After minting these tokens, the attacker swapped them for stablecoins and transferred them through the Tornado Cash mixing service. This made it impossible to track the final destination of the funds and complicates potential recovery efforts.
The rapid execution of a sophisticated attack — including deploying a custom smart contract, swapping to stablecoins, and laundering the funds through Tornado Cash — indicates that the attacker is likely skilled and planned the attack out in advance. In the end, they stole an estimated $2.15 million by draining liquidity from the protocol’s contracts.
Lessons Learned from the Attack
The Mobius incident is a classic example of a major DeFi hack made possible by a simple smart contract vulnerability. The unaudited smart contract contained a simple logical error that allowed the attacker to mint a ludicrous number of tokens — approximately 9.73 quadrillion.
These types of mathematical and logical issues are common smart contract flaws that can be identified and remediated via a smart contract audit. In this case, a simple review of the perceived value of the collateral would have revealed that something was up. For help with protecting your project against this type of incident, reach out to Halborn.