Summary
SurgeBNB was a BEP-20 yield token on Binance Smart Chain operated by the XSurge DeFi project. On August 16–17, 2021, an attacker exploited a reentrancy vulnerability in the contract's sell() function via a flash loan, draining approximately 13,111 BNB (~$5 million USD) from the protocol. The project had publicly claimed to be 'rug-proof' prior to the exploit; post-hack, the team launched a 'SurgeFund' compensation scheme, though the extent and completion of repayment to victims remains unclear.
Connected Entities
1 entities · 10 linked investigationsTimeline(8 events)
2021-07-30
Developer 'SafemoonMark' (DefiMark) publicly touts SurgeBNB as safe from rug pulls via Twitter.
2021-08-16
XSurge team publicly warns community of an unpatched vulnerability in the SurgeBNB contract and urges users to migrate funds immediately.
2021-08-16
SurgeBNB contract is exploited via a flash loan reentrancy attack; over 13,111 BNB (~$5 million USD) drained from the protocol.
2021-08-17
Official XSurge Twitter account (@XSURGEDEFI) confirms the hack and posts attacker wallet details.
2021-08-17
BEOSIN publishes full technical post-mortem identifying the reentrancy vulnerability in the sell() function.
2021-08-17
Knownsec Blockchain Lab publishes independent flash loan attack analysis corroborating BEOSIN findings.
2021-08-17
DefiMark hosts Discord AMA livestream to address community concerns about the SurgeBNB hack.
2021-09-01
XSurge launches SurgeFund compensation mechanism; SurgeFund Repayment (SFR) token issued to track victim claims.
Decision Log
- hash: 6EsabKDFPcnreN9zZezqy28F6hDPuYijwkRVXrzX7zy7
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/4/2026, 2:54:54 AM
last updated: 5/28/2026, 5:49:59 PM
avoid.net — verified advice for a post-truth world