Binance Smart Chain Hack Drains $187K as AM Token and WUKONG Staking Contracts Exploited

The Binance Smart Chain (BSC) ecosystem was hit by two distinct smart contract exploits in the early hours of March 12, 2026, leading to combined losses estimated at more than $187,000. Security alert provider TenArmor detected and reported both incidents via X posts, highlighting vulnerabilities that allowed attackers to drain funds from unrelated projects. the #AM token and the #WUKONG staking contract.These attacks, occurring within minutes of each other, serve as a reminder of persistent risks in DeFi protocols on BSC, including flawed token mechanics and classic coding errors.

AM Token Exploit: Flawed Burn Mechanism Drains ~$131,600

The first attack targeted the #AM token contract on BSC. TenArmor flagged it as resulting from “another flawed burn mechanism in tokens contract,” enabling an attacker to manipulate token supply or liquidity unfairly.

Key transaction details:

Transaction Hash: 0xd0d13179645985eae599c029574e866d79b286fbea395b66504f87f31629f859
Timestamp: March 12, 2026, 12:40:15 AM UTC
Attacker Wallet: 0x0B9a1391269e95162bfeC8785E663258C209333B
Target Contract: 0x11ab0C24fbc359a585587397D270B5FEd2c85FD4
Method Called: 0x07adecd7 (custom exploit function)
Profit Realized: Approximately 131,572.53 BUSD (~$131,600 at the time), transferred directly to the attacker wallet

The exploit leveraged flash loans from Lista DAO (also known as Moolah), borrowing massive amounts: 9,265,119.89 BUSD and 361,710.32 WBNB. These were used to interact with Venus protocol lending pools (vWBNB and vUSDT) for borrowing/repaying cycles and PancakeSwap V2 for swaps in the AM-BSC-USD liquidity pool.The flawed burn logic allowed unauthorized token minting or manipulation during swaps, leading to excessive BUSD extraction. A “SwapFailed” event occurred due to “INSUFFICIENT_LIQUIDITY” in one sub-call, but the overall transaction succeeded. Large AM token amounts were sent to a dead address as part of the burn simulation gone wrong, inflating the attacker’s gains. Similar smart contract vulnerabilities have appeared in other DeFi incidents as well, including the Solv Protocol exploit, where attackers drained $2.7 million from the BRO vault after exploiting a contract flaw.

WUKONG Staking Exploits – ~$55,700 Loss in Two Attacks

TenArmor described the subsequent incidents as “another two hacks” on the #WUKONG staking contract, explicitly attributing them to a “classical reentrancy vulnerability.” This allowed the attacker to repeatedly call withdrawal functions before state updates, draining funds multiple times.Combined losses:

First attack: ~$37,700
Second attack: ~$18,000 (noted as “the attacker’s another hack tx”)

Attacker Wallet (from analysis of related flows): 0x13b1ae7c8413cc9f53356e69393c61bd29965ac8
Vulnerability Details: The staking contract’s unstake or claim function transferred tokens/BNB before updating user balances, total staked amounts, or emitting events. No reentrancy guard was present.The attacker deployed temporary malicious contracts (e.g., addresses starting with 0xddb8…, 0x1f86…, 0xe89d…, etc.) that interacted with the staking contract, self-destructed after draining, and routed funds back via PancakeSwap Router V2. Internal transfers included:

2.01 BNB (~$1,294)
2 BNB (~$1,288)
Smaller amounts like 0.1 BNB and 0.4 BNB

These were converted and consolidated, with final outflows in BNB or wrapped forms.

Primary attack: 0x79467533d4d1f332df846dc78c16fe319cd1d3a1a0f01545b4cdd7a2d3a71d22 (~$37.7K)
Follow-up attack: 0x97e2b875552e4e82d058a775c7dd14198d15df869260235dbaf6577e5e3b13cc (~$18K)

Both occurred shortly after the AM exploit, around early March 12 UTC.

Separate Attacks, Common Chain Risks

The exploits involved different wallets (0x0B9a… for AM vs. 0x13b1… for WUKONG) and mechanisms (flash loan + burn flaw vs. reentrancy drain), indicating separate opportunistic actors rather than a coordinated group. However, the close timing and shared chain highlight how quickly vulnerabilities are scanned and exploited on BSC.No further on-chain recovery or project responses have been publicly confirmed yet. DeFi participants should prioritize:

Thorough smart contract audits
Use of established patterns like checks-effects-interactions
Reentrancy guards (e.g., OpenZeppelin libraries)
Real-time monitoring tools

These incidents also come amid a rise in scam tokens and honeypot schemes targeting users on BNB Smart Chain. In one recent case, a BSC Chain scam involving the 4Agent token reportedly drained nearly $100,000 from investors through a suspected honeypot setup, highlighting how malicious contracts can trap funds and prevent users from selling their tokens.