Blockchain security firm CertiK has released a detailed forensic breakdown of the March 10, 2026, exploit that drained roughly $242,000 from the Movie Token (MT) project on the BNB Smart Chain. The incident, which targeted a popular deflationary token integrated with PancakeSwap liquidity, stemmed from a subtle yet devastating flaw in the contract’s sell mechanism.
According to CertiK’s on-chain analysis, the vulnerability allowed an attacker to artificially inflate the token’s price through manipulated burns, ultimately siphoning value from the liquidity pool.
The root cause lay in a double-counting error within the token transfer logic. When users sold MT tokens, the contract not only forwarded 90% of the net amount (after a 10% tax) to the liquidity pair for swapping but also simultaneously credited the identical quantity to a pending BurnAmount variable.
Later, when the public function distributeDailyRewards() was invoked, it triggered a chain of calls—extractFromPoolForLpMining() followed by executePendingBurn()—that removed these “pending” tokens directly from the pair’s reserves.
This created an artificial supply contraction, driving the token’s price skyward and enabling the attacker to exit with outsized profits.
The sophisticated attack unfolded in a meticulously orchestrated sequence leveraging flash loans and liquidity maneuvers.
The perpetrator first borrowed 358,681.54 WBNB via a flash loan from the Moolah proxy.
Using tiny swaps and liquidity additions/removals on PancakeSwap, the attacker bypassed swap fees and a built-in restriction (!deflationStopped) that would have blocked direct purchases.
Key steps included swapping portions of WBNB for MT, adding and then removing liquidity to retrieve tokens without triggering taxes, and executing a secondary flash swap of 397 WBNB.
In the callback, the same 90% net amount was both delivered to the pair and added to the burn queue.
With reserves already strained, the attacker then swapped an additional 717 WBNB for roughly 10 million MT, reducing the pool’s MT holdings to about 6.75 million.
Calling distributeDailyRewards() at this precise moment burned nearly all remaining MT from the pair—leaving just 21,000 tokens against 1,201 WBNB.
The resulting price distortion allowed the final swap of 10 million MT for 1,198.628 WBNB.
After repaying the initial flash loan, the net profit stood at 381.7468 WBNB, later converted to approximately $242,000 in USDC.
Post-exploit fund flows reveal professional laundering tactics.
The attacker swapped proceeds on BSC, bridged them to Ethereum, converted to DAI, and shielded the assets via Railgun, complicating any recovery efforts.
Key addresses tied to the wallet and exploit contract have been flagged in CertiK’s report.
This incident underscores persistent risks in deflationary token designs, particularly around burn logic and liquidity interactions.
CertiK notes that the erroneous indentation around pendingBurnAmount suggests the double-counting may have been an unintended oversight during development.
The attack joins a string of similar BSC exploits in early 2026, including those affecting projects like SOF, LAXO, Gyroscope, and Makina, highlighting the need for exhaustive smart-contract audits that scrutinize every edge case in tax, burn, and reward mechanisms.
For DeFi builders, the Movie Token incident serves as a reminder: even minor logic flaws can be weaponized by flash-loan attackers. CertiK concluded that projects must prioritize rigorous code reviews, formal verification, and real-time monitoring to safeguard liquidity pools and user funds in an increasingly sophisticated threat landscape.