Verify a decision

{"actor":"system:backfill","investigation_id":"405be8c2-17fe-4e38-909a-f7c376262a69","kind":"publish","page_slug":"skp-skippy-token","published_at":"2026-05-28T03:58:43.477Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SKP / Skippy Token","sections":[{"content":"On May 27, 2026, TenArmor, a blockchain security monitoring firm, detected suspicious on-chain activity involving SKP liquidity pools on BNB Smart Chain. The total loss across affected protocols was estimated at approximately $212,000. TenArmor's alert stated: 'Our system has detected a suspicious attack involving #SKP on #BSC, resulting in an approximately loss of $212K.' The attacker cycled BSC-USD, BTCB, and SKP tokens through multiple lending and swap protocols before converting proceeds into stablecoins and native BNB. The primary exploit transaction hash is 0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee, confirmed on BscScan at block 100582079. The sender address is labeled 'SKP/USDT Pair Exploiter 1' (0x83B9e7EDC5B3127E4853A4F4945b92aa88eEF0C8), which transferred funds to a secondary address labeled 'SKP/USDT Pair Exploiter 2' (0xE924853DcDfcB89292335042AB10d68c7315D7C1). The attacker's final holdings were approximately 162,854 BSC-USD and 74.877 BNB.","heading":"Exploit Overview","severity":"critical","sources":[{"credibility":2,"name":"SKP Liquidity Exploit Drains $212K Across BNB Chain DeFi Protocols — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/27/skp-liquidity-exploit-drains-212k-across-bnb-chain-defi-protocols/"},{"credibility":1,"name":"BscScan — Exploit Transaction 0xbc01ea37","type":"on_chain","url":"https://bscscan.com/tx/0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee"}]},{"content":"The attack exploited pricing inefficiencies between SKP liquidity pools and BNB Chain lending markets. According to available reporting, the attacker manipulated price discrepancies across multiple DeFi venues — specifically PancakeSwap V2, Venus Protocol, and Lista DAO — rather than draining wallets directly. On-chain transaction data shows 39 token transfer events in the primary exploit transaction, including large movements of BTCB (~1,676 units), vBTC (Venus receipt tokens, ~82,318 units), and approximately 204.95 million USDT routed through PancakeSwap pairs. A secondary detail reported by security researchers alleges that the flaw may relate to SKP token logic that permitted excess SKP tokens to be transferred from the PancakeSwap V2 SKP/USDT LP following a large buy, after which sync() was called to write incorrect reserves and push the SKP reserve close to zero — a pattern consistent with LP reserve manipulation attacks. This root cause characterization is unconfirmed and should be treated as alleged pending an official post-mortem. Flash loans are alleged to have been used to amplify the attack. No official team statement or incident post-mortem had been issued as of the date of reporting.","heading":"Attack Mechanism","severity":"critical","sources":[{"credibility":2,"name":"SKP Liquidity Exploit Drains $212K Across BNB Chain DeFi Protocols — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/27/skp-liquidity-exploit-drains-212k-across-bnb-chain-defi-protocols/"},{"credibility":1,"name":"BscScan — Exploit Transaction Detail (block 100582079)","type":"on_chain","url":"https://bscscan.com/tx/0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee"}]},{"content":"SKIPPY (SKP) is a BEP-20 token deployed on BNB Smart Chain on October 27, 2021, at contract address 0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C. The total supply is 400,000,000 SKP with 9 decimal places. The project was conceived as an Australian utility token offering travel and hospitality payments (Skippy GO), online apparel retail (Skippy Apparels), a crypto project marketplace (Skippy Coin Market), and a multi-wallet manager (Skippy multi Wallet). The company behind the project is alleged to be UNIQUE GROUP AUSTRALIA PTY LTD, reportedly founded August 10, 2010. An ICO was planned for January 10–23, 2022, but was at one point postponed due to compatibility concerns and alleged unfavorable market conditions. As of post-exploit reporting, the token had only 41 on-chain holders, with the top four addresses controlling approximately 96% of total supply — indicating extreme ownership concentration. The token showed effectively zero trading volume and zero price discovery at time of investigation.","heading":"Token Background and Project History","severity":"high","sources":[{"credibility":1,"name":"SKIPPY (SKP) Token Tracker — BscScan","type":"on_chain","url":"https://bscscan.com/token/0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C"},{"credibility":2,"name":"SKIPPY (SKP) Price and Market Stats — TheBitTimes","type":"other","url":"https://thebittimes.com/token-SKP-BSC-0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C.html"},{"credibility":3,"name":"SKIPPY TOKEN (ST) ICO Rating and Details — ICOholder","type":"other","url":"https://icoholder.com/en/skippy-token-1008470"}]},{"content":"The project lists five team members: Fred Kher (Founder and CEO), Zak Aziz (CTO), Wade Kherk (Co-Founder and R&D Manager), Sam Annavi (Project Engineering Manager), and Zia Rahman (Projects Technical Manager). Per ICOholder, zero percent of team members have been independently verified on that platform. No verifiable LinkedIn profiles, public identities, or prior crypto project histories have been confirmed for any named team member through available sources. The contract on BscScan does not carry a verified security audit. No official social media communication regarding the May 2026 exploit has been located.","heading":"Team Transparency","severity":"high","sources":[{"credibility":3,"name":"SKIPPY TOKEN (ST) ICO Rating and Details — ICOholder","type":"other","url":"https://icoholder.com/en/skippy-token-1008470"},{"credibility":1,"name":"SKIPPY (SKP) Token Tracker — BscScan","type":"on_chain","url":"https://bscscan.com/token/0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C"}]},{"content":"On-chain data presents several notable risk indicators. The token has only 41 holders, with the top four addresses holding approximately 96% of total supply — a concentration level associated with elevated rug-pull and price manipulation risk. The token has no active trading volume and a market price of effectively $0. The contract was compiled with Solidity v0.8.4 and has optimization enabled, but no security audit has been submitted or verified. The fee structure includes transaction taxes for liquidity, developer allocation, and reflection/redistribution, which are commonly associated with honeypot or high-fee token designs on BSC. The token has been deployed since October 2021 with minimal adoption despite over four years of existence.","heading":"On-Chain Risk Indicators","severity":"high","sources":[{"credibility":1,"name":"SKIPPY (SKP) Token Tracker — BscScan","type":"on_chain","url":"https://bscscan.com/token/0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C"},{"credibility":2,"name":"SKIPPY (SKP) Price and Market Stats — TheBitTimes","type":"other","url":"https://thebittimes.com/token-SKP-BSC-0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C.html"}]},{"content":"The SKP exploit occurred within a broader wave of DeFi attacks on BNB Smart Chain in 2026. Prior incidents in the same year include a $3.7 million Venus Protocol flash loan attack in March 2026, a $133,000 unknown stake contract drain in March 2026, a $950,000 LML staking protocol exploit in April 2026, and a $438,000 flash loan attack on SOF and LAXO in February 2026. The SKP incident follows common patterns seen across low-liquidity BSC tokens where pricing inefficiencies between spot pools and lending oracle feeds can be exploited via flash loans to manipulate collateral valuations or LP reserves. Security firm BlockRazor received 1 BNB from the exploit transaction address, consistent with the attacker using a private mempool or frontrunning-protection service to prevent the transaction from being intercepted.","heading":"Broader BNB Chain Exploit Context","severity":"medium","sources":[{"credibility":2,"name":"SKP Liquidity Exploit Drains $212K Across BNB Chain DeFi Protocols — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/27/skp-liquidity-exploit-drains-212k-across-bnb-chain-defi-protocols/"},{"credibility":2,"name":"Venus Protocol Flash Loan Attack on BNB Chain: $3.7M Lost — TheWeal","type":"news_article","url":"https://theweal.com/2026/03/16/venus-protocol-flash-loan-attack-on-bnb-chain-3-7m-lost/"},{"credibility":2,"name":"LML Staking Protocol Exploited for $950K on BSC, Token Crashes 99.6% — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/01/lml-staking-protocol-exploited-for-950k-on-bsc-token-crashes-99-6/"},{"credibility":1,"name":"BscScan — Exploit Transaction 0xbc01ea37 (BlockRazor payment visible)","type":"on_chain","url":"https://bscscan.com/tx/0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee"}]}],"sources_used":[{"credibility":2,"name":"SKP Liquidity Exploit Drains $212K Across BNB Chain DeFi Protocols — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/27/skp-liquidity-exploit-drains-212k-across-bnb-chain-defi-protocols/"},{"credibility":1,"name":"BscScan — SKIPPY (SKP) Token Tracker","type":"on_chain","url":"https://bscscan.com/token/0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C"},{"credibility":1,"name":"BscScan — Exploit Transaction 0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee","type":"on_chain","url":"https://bscscan.com/tx/0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee"},{"credibility":2,"name":"SKIPPY (SKP) Price and Market Stats — TheBitTimes","type":"other","url":"https://thebittimes.com/token-SKP-BSC-0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C.html"},{"credibility":3,"name":"SKIPPY TOKEN (ST) ICO Rating and Details — ICOholder","type":"other","url":"https://icoholder.com/en/skippy-token-1008470"},{"credibility":2,"name":"Venus Protocol Flash Loan Attack on BNB Chain: $3.7M Lost — TheWeal","type":"news_article","url":"https://theweal.com/2026/03/16/venus-protocol-flash-loan-attack-on-bnb-chain-3-7m-lost/"},{"credibility":2,"name":"LML Staking Protocol Exploited for $950K on BSC — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/01/lml-staking-protocol-exploited-for-950k-on-bsc-token-crashes-99-6/"}],"summary":"SKIPPY (SKP) is a BEP-20 utility token deployed on BNB Smart Chain in October 2021, originally conceived as an Australian-based crypto payment utility project. On May 27, 2026, blockchain security firm TenArmor detected an active exploit draining approximately $212,000 from SKP-linked liquidity pools across PancakeSwap, Venus, and Lista DAO, with the attacker exiting with approximately 162,854 BSC-USD and 74.877 BNB. The root cause of the exploit remained unidentified at time of reporting, and no official post-mortem or team response had been issued.","timeline":[{"date":"2021-10-27","event":"SKIPPY (SKP) BEP-20 token deployed on BNB Smart Chain at contract 0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C.","source":"BscScan token tracker","source_url":"https://bscscan.com/token/0x6F6E2DA8DB407B17d06FB4530fd1e42824fA881C"},{"date":"2022-01-10","event":"Skippy Token ICO period opened (January 10–23, 2022); ICO was at one point previously postponed due to alleged compatibility and market timing concerns.","source":"ICOholder project listing","source_url":"https://icoholder.com/en/skippy-token-1008470"},{"date":"2026-05-27","event":"TenArmor detects active exploit on BNB Smart Chain involving SKP liquidity pools across PancakeSwap, Venus, and Lista DAO. Estimated total loss approximately $212,000. Attacker exits with approximately 162,854 BSC-USD and 74.877 BNB. Primary exploit transaction: 0xbc01ea37bd2ff8f6aa6afcfbe0406114ff27a01e9aa56102bfa4ad8a0c2f25ee at block 100582079.","source":"CryptoTimes / BscScan on-chain data","source_url":"https://www.cryptotimes.io/2026/05/27/skp-liquidity-exploit-drains-212k-across-bnb-chain-defi-protocols/"},{"date":"2026-05-27","event":"No official team statement or post-mortem issued by SKP/Skippy Token team as of date of reporting. Root cause of exploit remains unidentified.","source":"CryptoTimes reporting","source_url":"https://www.cryptotimes.io/2026/05/27/skp-liquidity-exploit-drains-212k-across-bnb-chain-defi-protocols/"}]},"v":1}