On August 27, 2025, BetterBank, a decentralized lending protocol on PulseChain, fell victim to a reward minting and liquidity manipulation exploit, resulting in losses of around $5 million.
The attacker targeted BetterBank’s bonus minting mechanism, which distributed ESTEEM tokens whenever liquidity was provided for FAVOR. This design allowed manipulation through fake liquidity pools and wash trading, an issue that had previously been flagged during an audit but dismissed as low severity.
How the Exploit Happened?
The attacker began by borrowing funds via a flash loan and draining the DAI–PDAIF pool. They then created a fake ERC20 token and paired it with PDAIF, enabling them to manipulate trading activity and trigger ESTEEM reward minting.
By repeating swaps between the bogus token and PDAIF, the attacker inflated ESTEEM rewards, which were later converted back into FAVOR and more PDAIF tokens. This artificially boosted supply and destabilized the pool.
Next, liquidity was re-added to the real pool with intentional imbalance, allowing the attacker to extract ~891M DAI at favorable rates. The borrowed flash loan was repaid, leaving them with millions in profit.
In total, the exploit drained 891M DAI, 9.05B PLSX, and 7.40B WPLS.
Root Cause
Flawed reward logic: Rewards were minted whenever FAVOR appeared as output, without validating the legitimacy of the pool.
Convertible rewards vulnerability: Minted ESTEEM could be recycled into FAVOR, enabling repeated exploitation.
Ignored audit warning: A prior report had identified the risk of fake liquidity pools, but it was downgraded and left unpatched.
👉 Want to dive deeper?
We’ve published the full technical breakdown in our detailed blog: BetterBank Exploit: $5M Lost in Reward Hack
Impact and Aftermath
The attacker laundered stolen funds through swaps on PulseChain DEXes and later bridged about $922K worth of ETH to Ethereum, hiding their trail via Tornado Cash.
Following the attack, BetterBank drained all FAVOR pools, announced a 20% bounty for the attacker, and initiated recovery measures. Remarkably, the attacker later returned $2.7M worth of assets, leaving net losses of around $1.4M.
BetterBank also pledged to fix vulnerabilities, relaunch tokens via airdrops, and stabilize the protocol before reopening.
Lessons Learned
The BetterBank hack demonstrates how small oversights can escalate into major exploits:
- Reward minting must only occur through whitelisted pools.
- Token-level validation is more secure than pair-based checks.
- Even low-severity audit findings must be addressed proactively.
The BetterBank exploit highlights the severe risks posed by centralized control and inadequate security practices within DeFi protocols. This incident was not merely the result of a technical flaw but a deliberate abuse of governance authority, showing how insider threats can be just as damaging as external attacks.
To prevent such occurrences, projects must prioritize transparency, robust security audits and decentralized safeguards. Partnering with trusted audit firms like QuillAudits can help protocols identify vulnerabilities, strengthen governance mechanisms, and build a more secure and resilient DeFi ecosystem.
Top comments (0)