BSC TMM/USDT
Summary
BSC TMM/USDT is a Binance Smart Chain token pair that was exploited on April 4, 2026, via a flash loan-based reserve manipulation attack, resulting in an estimated loss of $1.665 million USDT. The attacker burned TMM tokens to a dead address to artificially skew pool reserves, then extracted USDT through a Constant Product Market Maker (CPMM) pricing imbalance. The TMM token contract lacked reserve synchronization on burn operations and had no verified third-party security audit on file.
Connected Entities
1 entitiesTimeline(6 events)
2021-02-01
TMM Group token reportedly launched on BSC, targeting DeFi and multi-utility use cases in Asian and African markets.
2026-04-04
Reserve manipulation attack executed against BSC TMM/USDT pool. Attacker burns TMM to dead address, reducing pool reserves to 1 TMM, then swaps 850 million TMM for ~272 million USDT via flash loans from five DeFi protocols. Net profit of $1,665,255 USDT extracted.
2026-04-05
ExVul security account posts alert on X identifying attacker contract (0x1c5e8d3501bbcae900e14d8720774d9ff6ec7203), target token address, and profit recipient wallet. Phemex publishes news article on the attack.
2026-04-05
SlowMist logs the TMM BSC exploit in its hacked database with a $1,665,000 loss figure.
2026-04-01
Halborn publishes detailed post-mortem: 'Explained: The TMM Hack (April 2026)', confirming root cause as missing reserve sync on burn operations.
2026-04-30
Halborn includes TMM in its 'Month in Review: Top DeFi Hacks of April 2026' roundup, listing it among the month's significant losses.
Decision Log
- hash: BPCdNCMNqiqLWU4E9nn2ChQsUhCRHcwedpTB297ow7wf
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/4/2026, 2:54:17 AM
last updated: 5/26/2026, 6:37:00 PM
avoid.net — verified advice for a post-truth world