A peer-to-peer cryptocurrency exchange operating on Binance Smart Chain has become the latest victim of a smart contract vulnerability, losing approximately $115,595 in a surgically executed attack that exposed fundamental flaws in access control design.
The Exploit Mechanics
On May 24, 2023, the Local Traders platform — a decentralized peer-to-peer exchange facilitating token swaps on BSC — was exploited through a deceptively simple attack vector. The vulnerability stemmed from a critical omission in the smart contract: one of its core functions lacked proper permission checks, allowing any external address to call it and modify the contract owner. Once the attacker seized ownership privileges, they invoked a second function to manipulate the price of the native LCT token, driving it down to near-zero levels. The attacker then purchased large quantities of LCT at the artificially depressed price before selling them on external markets for a profit.
The entire attack was executed across three transactions on BSC. The first transaction — the access gain — modified the contract owner to the attacker’s address. The second changed the LCT token price. The third drained the resulting funds. The attacker walked away with approximately 379.32 BNB, valued at roughly $115,595 at the time of the exploit.
Affected Systems
The attack targeted the Local Traders smart contract specifically, which managed the LCT token and its associated trading mechanisms on Binance Smart Chain. The contract’s source code was unverified on BscScan, meaning the community had no opportunity to audit the code before deployment. This lack of transparency is a significant red flag — unverified contracts prevent independent security researchers from identifying vulnerabilities before they are exploited.
With Bitcoin trading at approximately $26,335 and Ethereum at $1,800 on the same day, the $118,000 loss may seem relatively modest compared to headline-grabbing DeFi exploits. However, the attack underscores a persistent and dangerous pattern: basic access control failures continue to plague smart contracts across all chains.
The Mitigation Strategy
Following the exploit, the Local Traders team reported the attacker’s address to major exchanges, resulting in a blacklist that makes cashing out the stolen funds significantly more difficult. The team stated they are working on a recovery plan for affected users, though no timeline has been provided.
From a technical standpoint, preventing this type of attack is straightforward. Smart contracts must implement role-based access control (RBAC) using established patterns such as OpenZeppelin’s Ownable or AccessControl modules. Critical functions — especially those that modify ownership or token parameters — should require explicit authorization checks. Additionally, all contract source code should be verified publicly to enable community auditing before deployment.
Lessons Learned
The Local Traders exploit fits a familiar pattern seen across dozens of DeFi protocols. Access control vulnerabilities remain one of the most common and preventable attack vectors in the space. Had the team implemented standard permission checks — a practice that takes minutes during development — the entire incident could have been avoided.
Users should exercise caution when interacting with unverified contracts on any chain. The absence of verified source code on BscScan should be treated as an immediate warning sign. Additionally, platforms that handle user funds should undergo independent third-party security audits before going live.
User Action Required
If you have interacted with the Local Traders platform on BSC, revoke any outstanding token approvals to the compromised contract immediately. Monitor the project’s official communication channels for updates on the recovery plan. As a general practice, always verify that a smart contract’s source code is published and audited before interacting with it. Use tools like Revoke.cash or similar approval management platforms to regularly audit your wallet’s active permissions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any cryptocurrency platform.
$115K gone in 3 transactions. missing access control on the owner function is like leaving your front door open with a sign that says come in
the fact that anyone could call setOwner or whatever they named it is negligence plain and simple. basic OpenZeppelin Ownable would have prevented this
$115k is small enough that it wont get media attention but the attack pattern is identical to ones that drained millions elsewhere
BSC defi keeps getting hit with the same class of bugs. when will teams start requiring audits before launch
audits cost money most BSC projects dont want to spend. the bar for launching on BSC has always been too low
classic ownership takeover into price manipulation. same playbook as the old DeFi flash loan attacks but without the flash loan
price manipulation after ownership takeover is such a basic attack. how does a P2P exchange not have a timelock on ownership transfers