ATM token was exploited for about $243,000 after an attacker abused custom logic inside the token’s transferFrom()function. The affected transfer function included a mechanism that swapped 20
ATM token was exploited for about $243,000 after an attacker abused custom logic inside the token’s transferFrom()function.
The affected transfer function included a mechanism that swapped 20% of the transferred ATM amount into BSC-USD. The attacker repeatedly triggered that behavior, allowing extra value to be swapped out through the token’s own transfer flow.
The transaction flagged by CertiK shows the exploit path on BNB Chain, with the attacker using repeated transfers to turn a built-in tokenomics function into an extraction route. The loss was estimated at roughly $243,000.
The incident shows how quickly non-standard token logic can become a problem when swaps, taxes, rewards or liquidity actions are embedded inside basic transfer functions. These mechanics are common in smaller tokens because they automate treasury flows, fee collection or liquidity support, but they also increase the number of ways a transfer can behave unexpectedly.
A normal transferFrom() function should move approved tokens from one address to another. ATM’s function did more than that. It also triggered a swap tied to a percentage of the transfer amount.
That added logic became the weak point. By repeatedly calling the function, the attacker could keep activating the swap path and pull out BSC-USD beyond what the contract should have allowed. The flaw was not about market panic or a simple liquidity exit. It was a contract-behavior issue tied directly to how ATM handled transfers.
For token teams, the lesson is direct. Any transfer function that includes swap logic needs strict accounting, limits, router checks and edge-case testing. Automated buybacks, liquidity fees and transfer taxes may look useful for token design, but they can create loss paths if the contract lets attackers trigger them repeatedly.
ATM holders now need clear information on whether the vulnerable logic has been paused, whether liquidity remains exposed, and whether the project can prevent repeat calls from using the same path. Until those details are public, trading the token carries added execution risk because the contract behavior itself was part of the exploit.
The case follows a busy run of smaller DeFi incidents where contract-level mechanics, not broad market events, caused direct losses. The recent TesseraDAO exploit also showed how quickly token-specific flaws can turn into market damage when supply or swap mechanics break. The afiUSD vault exploit added another example of June’s smaller but steady exploit flow across DeFi.
The confirmed damage in ATM’s case is about $243,000. The key issue now is whether the token contract can be patched or replaced quickly enough to stop the same transfer-based extraction route from being used again.
The post ATM Token Exploit Drains $243K On BNB Chain appeared first on Crypto Adventure.
