Cross-chain bridge protocol Allbridge suffered a significant security breach on April 1, 2023, losing approximately $570,000 in stablecoins after an attacker exploited a price manipulation vulnerability in its liquidity pools on BNB Chain. The exploit, which targeted the BUSD and USDT pools, underscores the persistent risks inherent in decentralized bridge infrastructure as the broader crypto market trades near $1.18 trillion in total capitalization.
The Exploit Mechanics
The attacker executed a sophisticated multi-step attack that leveraged a flash loan from PancakeSwap to manipulate the swap pricing within Allbridge’s liquidity pools. The root cause was a vulnerability in how the protocol calculated swap prices — one that allowed an attacker who controlled both sides of a liquidity position to artificially inflate dividend payouts and drain reserves.
The attack began when the exploiter took a flash loan of 7.5 million BUSD from PancakeSwap. The funds were then split strategically: 2 million BUSD were swapped for BSC-USD, while 5 million BUSD were deposited into Allbridge’s BUSD liquidity pool. By simultaneously acting as both a liquidity provider and a swapper, the attacker created an artificial price imbalance.
With the remaining 500,000 BUSD, the attacker swapped for BSC-USD and then used that balance to swap back for BUSD through Allbridge’s Bridge contract. This circular swapping generated an inflated dividend on the earlier liquidity deposit of 5 million BUSD — a direct consequence of the manipulated pricing mechanism.
Affected Systems
The attack specifically targeted Allbridge’s BUSD and USDT liquidity pools on BNB Chain. When the attacker withdrew their liquidity position, they received 4,830,999 BUSD as principal plus a 554 BUSD reward — a figure artificially inflated by the price manipulation. The attacker then exploited the skewed pricing to swap out $790,000 worth of BSC-USD using only $40,000 of BUSD, and subsequently withdrew 1,995,193 USDT from the USDT pool.
The total losses amounted to 282,889 BUSD and 290,868 USDT, totaling approximately $570,000. On-chain analysis traced the attacker’s address to the same operator who had previously exploited the UF Dao protocol, suggesting a pattern of targeting DeFi vulnerabilities across multiple platforms.
Following the attack, the exploiter moved 1,700 BNB — which included profits from previous attacks — through Tornado Cash, a cryptocurrency mixer commonly used to obfuscate transaction trails on the blockchain.
The Mitigation Strategy
Allbridge responded quickly to the incident. The team acknowledged the exploit publicly and immediately shut down the bridge to prevent further losses. A post-mortem report confirmed that the vulnerability was confined to the BUSD/USDT pools on BNB Chain, with other chains and asset pools remaining unaffected.
The protocol offered a white-hat bounty to the attacker, proposing that the exploiter return the stolen assets in exchange for a reward. This approach proved partially successful — the attacker ultimately returned approximately $465,000 of the stolen funds, retaining a bounty for themselves while significantly reducing the overall damage to users.
Lessons Learned
The Allbridge exploit highlights several critical lessons for the DeFi ecosystem. First, flash loan-enabled price manipulation remains one of the most common attack vectors in decentralized finance. Protocols that rely on internal pricing mechanisms without adequate safeguards — such as time-weighted average price oracles or multi-step validation — remain vulnerable to this class of attack.
Second, the incident demonstrates the importance of independent third-party security audits. Formal verification tools can help ensure that smart contracts behave as intended under adversarial conditions, particularly when complex liquidity and swapping mechanisms are involved.
Third, the relatively swift resolution — with most funds returned within days — suggests that white-hat bounty programs can be an effective crisis management tool, though they should not be relied upon as a primary security measure.
User Action Required
Users who had funds deposited in Allbridge’s BUSD or USDT pools on BNB Chain should monitor official Allbridge communications for updates on fund recovery and compensation procedures. All bridge operations were temporarily suspended pending a full security review. Users interacting with any cross-chain bridge should verify that the protocol has undergone comprehensive audits and maintains active bug bounty programs. With Bitcoin trading at approximately $28,463 and Ethereum at $1,821 at the time of the attack, the broader market remained relatively stable, suggesting the exploit had limited systemic impact beyond the immediate protocol.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before interacting with any DeFi protocol.
7.5 million BUSD flash loan from PancakeSwap to manipulate Allbridge pricing. the attack vector on liquidity pool pricing is well known at this point
7.5M flash loan from PancakeSwap to drain $570K. the ROI on these attacks is absurd when the pricing oracle has no manipulation resistance. same vulnerability, different bridge, every month
well known and yet protocols keep shipping the same vulnerable pricing logic. when will teams learn
blueskies makes the key point. this pricing vulnerability is documented extensively in DeFi security literature. teams shipping it anyway is negligence not innovation
the attacker depositing 5M BUSD into the pool while swapping 2M on the other side. classic two-sided manipulation
$570K is actually on the lower end for bridge exploits. could have been way worse if the pools had more depth