Breaking News: $438K Vanishes into Thin Air in Flash Loan Hack Frenzy

by

Key Highlights

  • Hackers drained a cool $438K from SOF and LAXO in February 2026 thanks to a burn logic bug on BNB Smart Chain.
  • Flash loans let the attackers do a quick switcheroo with token prices, turning mere mining rewards into millions.
  • Copycat attacks followed quickly, because who wouldn’t want to duplicate a hack that works like a charm?

February 2026 will go down in the annals of history as the month the BNB Smart Chain was brutally mugged for over $438,000. The first strike took place on February 14, followed by an encore performance just eight days later. Hats off to CertiK for unearthing this drama.

According to the official Incident Analysis report, both attacks relied on a simple little glitch in the token burn system. The hack allowed the perpetrators to inflate token prices in one fell swoop, manipulating liquidity pools as easily as swiping a wallet. The result? A truckload of BSC-USD with barely a wrinkle in the system.

CertiK Alert tweeted the chilling details: “On 14 February and 22 February 2026, SOF and LAXO tokens were exploited, leading to losses of ~$248K and ~$190K, all thanks to their charming burn logic.” And what’s the method? Flash loans. The attackers borrowed vast sums, drained liquidity pools, repaid their loans, and kept the juicy difference. Naturally, the second wave of hackers wasn’t far behind.

#CertiKInsight 🚨

On 14 February and 22 February 2026, SOF and LAXO tokens were exploited, resulting in losses of ~$248K and ~$190K respectively, due to their burn logic.

To learn more about what happened, read our full analysis here 👇

– CertiK Alert (@CertiKAlert) February 27, 2026

How the SOF exploit unfolded

The first move in the SOF hack was humble: just 875 tokens mined. But the real shenanigans followed. The hacker took out flash loans worth a jaw-dropping $590 million in assets and swapped a cool 313 million BSC-USD for nearly a million SOF tokens.

Instead of keeping them, the hacker had the brilliant idea of sending them off to the mining contract-goodbye fees. Suddenly, the pool was left with a paltry 787 SOF tokens and yet still had over 313 million BSC-USD floating around.

The next step? The hacker dumped the 875 SOF reward tokens back into the pool. The contract burned a few tokens and recalculated, misjudging the worth of what remained. Long story short, those 875 tokens were enough to snag the entire 313 million BSC-USD, leaving the hacker with a tidy 225,936 BSC-USD profit. Not bad for a day’s work. The hacker even sent a bit to FixedFloat and tossed 20 BNB through Tornado Cash for good measure.

LAXO attack and rapid copycats

The LAXO hack was cut from the same cloth. The initial hacker borrowed 350,000 BSC-USD via a flash loan, then swapped it for over 43 million LAXO tokens. Using a few nifty tricks on PancakeSwap, the hacker kept fees at bay and pulled off a grand coup. The contract then burned over 41 million LAXO tokens, causing the price to shoot up faster than a rocket.

After paying off the loan and a tiny fee, the hacker pocketed 137,320 BSC-USD. The real kicker? In a mere 13 minutes, two more hackers figured out the exact same trick and cashed in-though one had to throw a hefty MEV bribe into the mix.

The SOF and LAXO exploits reveal just how vulnerable DeFi systems can be to tiny flaws, and how quickly these flaws can turn into enormous losses when combined with flash loans. It also highlights the rapid response of hackers eager to duplicate success, making it clear that smart contract security and real-time monitoring are absolutely vital to avoid the next big hack.

Read More

2026-02-27 15:33