Stole Millions, Had a Change of Heart: Who's Behind the BetterBank Hack
The Chronicle of BetterBank's Fall and the Most Audacious Hack on PulseChain.
The Chronicle of BetterBank's Fall and the Most Audacious Hack on PulseChain.
The BetterBank project, which positioned itself as a decentralized banking protocol on the PulseChain network, was attacked, resulting in an attacker withdrawing assets worth between $1 and $5 million. The cause of the incident was a vulnerability in the system for awarding liquidity provision bonuses—the smart contract allowed for the creation of fake liquidity pairs with the FAVOR token and receiving rewards, even if the other part of the pair was an unbacked asset.
BetterBank initially incentivized users to create liquidity pools with the FAVOR token by rewarding them with ESTEEM tokens. However, the investigation revealed that the contract did not verify the value or authenticity of the second token in the pair. Furthermore, the attacker managed to avoid taxation on the mass minting of rewards by using external pairs. As a result of the exploit, a significant number of tokens were minted, quickly depleting the reserves.
The incident was noticed within the last 24 hours: the project team observed abnormal withdrawals and quickly suspended the protocol to minimize damage. According to a statement from BetterBank, part of the losses were covered from reserve funds. The developers also promised to relaunch the reward smart contract with new logic and conduct an airdrop for previous participants affected by the attack.
At the time of the attack, BetterBank was one of the top five largest DeFi protocols on PulseChain and had recently announced reaching $30 million in TVL (Total Value Locked). After the hack, the TVL dropped to $9.96 million, while $10.31 million remains in circulation as borrowed liquidity. The damage affected not only BetterBank—the PulseX token, which was part of the liquidity pair, lost over 15% of its value.
PulseX Price After the BetterBank Attack (CoinGecko)
PulseChain as a whole continues to grow and recently restored its total liquidity to over $300 million. However, the BetterBank incident has once again drawn attention to security problems on niche blockchains. According to researchers, the exploit was possible due to weak verification of liquidity sources and "low-hanging fruit" left in the contract—scenarios that allow attackers to create fake activity to obtain real tokens.
The hacker managed to withdraw not only tokens within the PulseChain network: they also bridged 215 ETH to the main Ethereum network, increasing the chances of successful money laundering. At the time of publication, the attacker still held about 700 million pDAI, which require bridging to be exchanged. The project team sent a message to the attacker's address but received no response.
Shortly after the attack, the attacker converted part of the stolen assets into 309 ETH—estimated to be worth around $1.4 million. However, they voluntarily returned 550 million pDAI out of the 700 million, approximately $2.7 million. Thus, despite a serious blow to the protocol, some funds were recovered, though it is unclear whether this gesture was a sign of remorse, an attempt to reach an agreement with the project, or a strategic move to legitimize the remaining assets.
Although the direct damage to the project is estimated at several million dollars, the actual losses may be significantly higher due to eroded trust, the falling price of tokens, and the reputational blow to the entire PulseChain ecosystem.
