Blockchain security researcher ZachXBT has disclosed that GANA Payment, a cryptocurrency project operating on BNB Smart Chain, suffered a major exploit resulting in losses exceeding $3.1 million.
The attacker successfully laundered a significant portion of the stolen funds through Tornado Cash on both BSC and Ethereum networks, while roughly $1 million remains dormant on the Ethereum blockchain.
According to information shared by ZachXBT on his Telegram channel, the exploiter consolidated the theft at address 0x2e8***5c38 before depositing 1,140 BNB, valued at $1.04 million, into Tornado Cash on BSC.
The attacker then bridged funds to Ethereum and moved another 346.8 ETH worth $1.05 million through the privacy mixer, though 346 ETH currently sits untouched at address 0x7a503***b3cca.
Blockchain security firm HashDit quickly identified the root cause behind the breach after monitoring the suspicious activity.
The ownership of GANA’s exploited contract was maliciously changed, granting the hacker unauthorized control over the protocol’s staking mechanism and allowing them to manipulate reward rates.
This ownership transfer allowed the attacker to invoke unstake functions and receive substantially more GANA tokens than the system intended to distribute.
The hacker proceeded to dump these excess tokens on the open market, converting them into more liquid cryptocurrencies before routing proceeds through Tornado Cash.
HashDit issued an urgent warning advising users to avoid trading GANA tokens until the team provides official guidance on the situation.
The exploit adds another entry to BSC’s security record, which had seen relatively few major incidents throughout recent months.
While BNB Chain experienced a 70% reduction in losses from $161 million in 2023 to $47 million in 2024, according to joint analysis from BNB Chain and Hacken, isolated attacks continue to test the network’s defenses despite enhanced security protocols implemented across the ecosystem.
Earlier incidents on the network include a September phishing attack that drained $13.5 million from a Venus Protocol user after they approved a malicious transaction. However, the protocol’s smart contracts remained secure.
In February, meme coin platform Four.Meme also suffered a $183,000 security breach through what appeared to be a sandwich attack, losing approximately 125 BNB during the incident that followed volatility around its Test token.
GANA’s official team responded with an urgent announcement acknowledging the external attack on their interaction contract and confirming unauthorized asset theft.
The team emphasized they have partnered with an independent third-party security firm to conduct an emergency investigation, analyzing the attack vector, identifying vulnerabilities, and assessing the complete scope of impact.
The project pledged to activate a comprehensive reboot plan, including the complete mapping of all user asset addresses and their associated permissions.
GANA apologized for the inconvenience caused by the incident and promised to share detailed recovery plans and timelines through official channels shortly.
This exploit surfaced just after the crypto industry recorded its lowest monthly loss figures of the year, with only $18.18 million stolen across 15 separate incidents in October, according to PeckShield data.
That represented an 85.7% decline from September’s $127.06 million in losses, though security experts warned that threat actors continue evolving their tactics at the same pace as protocols strengthen defenses.
Notably, the GANA breach follows an even larger attack earlier this month when Balancer Protocol suffered losses exceeding $128 million across multiple chains.
The attacker targeted Balancer V2 Composable Stable Pools through sophisticated smart-contract manipulations involving improper authorization and callback handling, draining assets within minutes before laundering funds through Tornado Cash.
While the liquid staking protocol StakeWise recovered $19.3 million in osETH through a contract call, reducing total losses to approximately $98 million, the incident caused Balancer’s total value locked to plummet from $442 million to $214.52 million within a single day.
