Verify a decision

{"actor":"system:backfill","investigation_id":"c6a533a8-b2be-4f92-859b-476d5eb6edfd","kind":"publish","page_slug":"surgebnb","published_at":"2026-05-28T17:49:59.409Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SurgeBNB","sections":[{"content":"","heading":"","severity":"critical","sources":[{"credibility":3,"name":"https://beosin.medium.com/a-sweet-blow-fb0a5e08657d","type":"other","url":""},{"credibility":3,"name":"https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-xsurge-flash-loan-attack-analysis-b57b75ce6a30","type":"other","url":""},{"credibility":3,"name":"https://binancechain.news/xsurge-faces-5000000-exploit-despite-promises-of-security/2021/08/16/","type":"other","url":""}]},{"content":"","heading":"","severity":"high","sources":[{"credibility":3,"name":"https://binancechain.news/xsurge-faces-5000000-exploit-despite-promises-of-security/2021/08/16/","type":"other","url":""},{"credibility":3,"name":"https://x.com/xsurgedefi/status/1427347715915190274","type":"other","url":""}]},{"content":"","heading":"","severity":"critical","sources":[{"credibility":3,"name":"https://beosin.medium.com/a-sweet-blow-fb0a5e08657d","type":"other","url":""},{"credibility":3,"name":"https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-xsurge-flash-loan-attack-analysis-b57b75ce6a30","type":"other","url":""}]},{"content":"","heading":"","severity":"high","sources":[{"credibility":3,"name":"https://rumble.com/v100a06-defimark-discord-ama-livestream-addressing-the-surgebnb-hack.html","type":"other","url":""},{"credibility":3,"name":"https://binancechain.news/xsurge-faces-5000000-exploit-despite-promises-of-security/2021/08/16/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://xsurge.net/surgefund","type":"other","url":""},{"credibility":3,"name":"https://desk.lsr.finance/asset/sfr-surgefund-repayment/","type":"other","url":""}]},{"content":"","heading":"","severity":"high","sources":[{"credibility":3,"name":"https://cointelegraph.com/news/zachxbt-rug-pull-unpaid-work","type":"other","url":""}]}],"sources_used":[{"credibility":2,"name":"BEOSIN: XSURGE Flash Loan Attack Full Analysis","type":"research","url":"https://beosin.medium.com/a-sweet-blow-fb0a5e08657d"},{"credibility":2,"name":"Knownsec Blockchain Lab: XSURGE Flash Loan Attack Analysis","type":"research","url":"https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-xsurge-flash-loan-attack-analysis-b57b75ce6a30"},{"credibility":2,"name":"Binance Chain News: XSurge Faces $5,000,000 Exploit Despite Promises of Security","type":"news_article","url":"https://binancechain.news/xsurge-faces-5000000-exploit-despite-promises-of-security/2021/08/16/"},{"credibility":3,"name":"XSURGE Official Twitter — Hack Announcement","type":"social_media","url":"https://x.com/xsurgedefi/status/1427347715915190274"},{"credibility":3,"name":"XSURGE Trendsmap — Hack Address Tweet","type":"social_media","url":"https://www.trendsmap.com/twitter/tweet/1427359459102404609"},{"credibility":2,"name":"XSurge SurgeFund Official Page","type":"official","url":"https://xsurge.net/surgefund"},{"credibility":3,"name":"DefiMark Discord AMA Livestream — Addressing the SurgeBNB Hack","type":"other","url":"https://rumble.com/v100a06-defimark-discord-ama-livestream-addressing-the-surgebnb-hack.html"},{"credibility":2,"name":"SurgeFund Repayment (SFR) Token Info — lsr.finance","type":"on_chain","url":"https://desk.lsr.finance/asset/sfr-surgefund-repayment/"},{"credibility":3,"name":"YouTube: SurgeBnb Has Been Hacked — Over $4 Million Dollars Worth of BNB Stolen","type":"other","url":"https://www.youtube.com/watch?v=UGmbjjGoh8M"}],"summary":"SurgeBNB was a BEP-20 yield token on Binance Smart Chain operated by the XSurge DeFi project. On August 16–17, 2021, an attacker exploited a reentrancy vulnerability in the contract's sell() function via a flash loan, draining approximately 13,111 BNB (~$5 million USD) from the protocol. The project had publicly claimed to be 'rug-proof' prior to the exploit; post-hack, the team launched a 'SurgeFund' compensation scheme, though the extent and completion of repayment to victims remains unclear.","timeline":[{"date":"2021-07-30","event":"Developer 'SafemoonMark' (DefiMark) publicly touts SurgeBNB as safe from rug pulls via Twitter.","source":""},{"date":"2021-08-16","event":"XSurge team publicly warns community of an unpatched vulnerability in the SurgeBNB contract and urges users to migrate funds immediately.","source":""},{"date":"2021-08-16","event":"SurgeBNB contract is exploited via a flash loan reentrancy attack; over 13,111 BNB (~$5 million USD) drained from the protocol.","source":""},{"date":"2021-08-17","event":"Official XSurge Twitter account (@XSURGEDEFI) confirms the hack and posts attacker wallet details.","source":""},{"date":"2021-08-17","event":"BEOSIN publishes full technical post-mortem identifying the reentrancy vulnerability in the sell() function.","source":""},{"date":"2021-08-17","event":"Knownsec Blockchain Lab publishes independent flash loan attack analysis corroborating BEOSIN findings.","source":""},{"date":"2021-08-17","event":"DefiMark hosts Discord AMA livestream to address community concerns about the SurgeBNB hack.","source":""},{"date":"2021-09-01","event":"XSurge launches SurgeFund compensation mechanism; SurgeFund Repayment (SFR) token issued to track victim claims.","source":""}]},"v":1}