InfinitySix on BNB Smart Chain was exploited in a transaction that left the attacker with about 273,802 USDT in profit after repaying all borrowed funds.
The transaction shows the attacker pulling in 270,000 WBNB from Lista DAO’s Moolah and sourcing more than 125.9 million USDT through Venus-linked flows before pushing capital through InfinitySix and the PancakeSwap i6-USDT pool. By the end of the same transaction, the wallet had repaid the loans and retained 273,802 USDT. That flow is visible directly in the transaction trace, which shows the flash-loaned WBNB, the Venus-linked USDT borrow, the 5.6 million i6 token payout, the 125.18 million USDT dump back into the pool, and the final 273,802 USDT profit transfer.
At the time checked after the exploit, the InfinitySix contract’s visible i6 balance on BscScan had fallen to just 8,791.75796752 i6, which supports the view that the token reserve was nearly emptied.
A public breakdown from onchain security account ExVulSec said the exploit hinged on stale TWAP pricing inside InfinitySix’s reward withdrawal logic. According to that reconstruction, the attacker first made a small invest call to become a valid sponsor, then used a helper contract to push about 124.0 million USDT into InfinitySix as a referral-linked deposit. That structure allegedly generated an immediate referral bonus of about 6.2 million USDT while also sharply distorting the live i6 price in the pool.
The contract source on BscScan supports one important part of that setup. InfinitySix requires first-time users to specify a valid sponsor and checks that the sponsor already has deposits, which explains why the attack path appears to begin with a small initial invest step before the much larger referral-linked flow.
The heart of the exploit was not simply price manipulation but timing. ExVulSec said InfinitySix still used an older TWAP of about 1.05 USDT per i6 when the attacker called withdraw in the same transaction, even though the manipulated spot price had already surged to roughly 15,528 USDT per i6. If that reconstruction is correct, a reward amount denominated in USDT was converted into i6 using a deeply stale price, which massively overpaid the attacker in tokens.
That conversion gap is what turned a reward bug into an extraction event. At a stale reference of about 1.05 USDT per i6, a roughly 6.2 million USDT reward maps to around 5.9 million i6. At a manipulated market level near 15,528 USDT per i6, the same amount would equate to only about 399 i6. That mismatch is why the settlement logic mattered more than the temporary pool distortion itself.
The attacker’s path was mechanically simple once the reward was overissued. BscScan’s transaction trace shows 5,601,682.600622405077131269 i6 moving out to the attacker-controlled address, followed by 5,545,665.774616181026359957 i6 being dumped into the PancakeSwap pool for 125,177,224.439321867310311298 USDT. Those proceeds were then used to repay the Venus-linked borrow and the Moolah flash loan, leaving the residual profit.
This is why the exploit reads as a reward-settlement failure rather than a pure liquidity attack. The pool skew helped set up the conditions, but the extraction came from the protocol minting or releasing far too many i6 tokens during withdrawal and allowing those tokens to be liquidated immediately in the same transaction.
Based on the public exploit reconstruction and the onchain flow, three design failures appear to have lined up.
The referral-linked deposit seems to have created a large reward claim immediately rather than forcing that claim to vest over time or across blocks. That made it possible to turn a temporary pricing distortion into a same-transaction withdrawal opportunity.
The central weakness appears to have been using a lagging TWAP for reward conversion while the pool’s live state had already moved violently. A TWAP can protect against brief price spikes, but only if update rules and settlement timing are designed so that the protocol cannot be forced to settle against an obsolete reference exactly when payouts are largest.
The exploit path also appears to have lacked a block delay or cooldown between bonus creation and withdrawal. That meant the attacker did not need to carry risk across time. Capital could be borrowed, rewards inflated, tokens withdrawn, tokens dumped, and loans repaid inside one atomic transaction.
InfinitySix looks less like a classic flash-loan oracle attack and more like a settlement-layer failure in a rewards system that mixed referral incentives, price-based conversion, and immediate withdrawal rights. The flash loan supplied scale, but the real vulnerability appears to have been in how the protocol translated a USDT-denominated reward into i6 tokens under a stale price reference.
That distinction matters for BSC protocols with similar designs. When reward accrual is immediate, settlement depends on a time-lagged pricing reference, and withdrawals can happen in the same transaction, the protocol may be handing attackers a way to transform temporary price distortion into permanent token extraction.
The post InfinitySix Exploit Drains i6 Reserve Through Stale TWAP Reward Logic appeared first on Crypto Adventure.
