The project was hacked just three days after launch because it contained a technical vulnerability

Mobius incident: issue 9 quadrillion tokens and lose $2 million

14.05.2025

698

2 min

Another hopeful crypto project failed to survive even a week after its launch. GetBlock AML Research explains how a hacker withdrew $2 million from the $MBU token and why it was easy money for him.

Mathematical error

The unusual activity of the Mobius smart contract on the BNB Smart Chain was noticed on May 11. Three days after the token was launched and received liquidity from this address: 0x18027eF7CC0e7dCe85120f69D0B91B4F4F4c9E07Bf.

$MBU price collapse after the attack

Malicious transaction: 0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150.

Using the .deposit function in the Mobius smart contract, the hacker issued 9 731 099 570 720 980 659843835099042677 $MBU tokens, paying only 0,001 BNB. It turned out that the developers had made a multiplier error in the .deposit function, which made it possible to issue over 9 quadrillion unsecured tokens.

.deposit function with multiplier error

After minting the tokens, the attacker exchanged them for $2,16 million USDT and transferred the funds to the address: 0xb32a53af96f7735d47f4b76c525bd5eb02b42600. On the day of the attack, the hacker used this address to hack another platform, MHT Trade. The hacker sent the USDT received during the attack to Tornado Cash.

Visualization of the transfer of stolen funds to Tornado Cash

Mobius is one of those projects that have not been technically audited, so their source code usually contains gross errors that allow disruption of the smart contract and withdrawal of funds from it.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy