In late August 2025, the decentralized finance (DeFi) protocol BetterBank, operating on the PulseChain network, experienced a sophisticated exploit resulting in an initial loss of approximately $5 million. While post-attack negotiations led to the return of $2.7 million, the protocol was left with a net loss of around $1.4 million. The incident serves as a stark reminder of the financial consequences of design-level flaws compounded by organizational inaction.

The root cause was a fundamental vulnerability in the protocol’s reward system, specifically within a function designed to mint bonus ESTEEM tokens. This function failed to validate whether a token swap occurred within a legitimate, whitelisted liquidity pool, an oversight that attackers masterfully exploited.

A Preventable Flaw in the Reward System

The core of the attack was a logic flaw in the swapExactTokensForFavorAndTrackBonus function. It rewarded any swap that resulted in FAVOR tokens, without verifying the transaction’s source. This vulnerability had been explicitly identified in a security audit by Zokyo a month prior. However, due to a communication breakdown, the finding was downgraded and the recommended patch was not fully implemented. This critical failure allowed the attacker to create a fake trading environment to trigger the bonus system at will. A secondary flaw in the tokenomics created an infinite minting loop, as the newly minted ESTEEM rewards could be converted back into FAVOR tokens to generate even more bonuses.

How the Attacker Bypassed Defenses

The attacker initiated the exploit with a flash loan to acquire capital. They then created a worthless token and paired it with PDAIF in a new, custom liquidity pool. Crucially, this fake pool was not subject to BetterBank’s sell tax, a protective measure that only applied to official, whitelisted pairs. By executing rapid swaps within their fee-free environment, the attacker triggered the vulnerable function repeatedly, minting an unlimited supply of ESTEEM tokens. This recursive loop allowed them to systematically drain the protocol’s real asset reserves, siphoning off millions in DAI, PLSX, and WPLS tokens.