The BetterBank Hack: How $5M Was Drained Through Reward Exploits
In August 2025, BetterBank on PulseChain lost nearly $5 million due to a flawed reward minting mechanism. Here’s a breakdown of how the exploit worked, the audit missteps, and key lessons for DeFi security.
The BetterBank Hack: A Technical Breakdown
What Happened
In August 2025, BetterBank—a DeFi lending protocol on PulseChain—suffered a critical exploit leading to losses of nearly $5 million. The attacker abused the protocol’s flawed reward logic involving FAVOR and ESTEEM tokens by creating fake liquidity pools that triggered bonus rewards without proper validation.
Attack Chain
- Create a fake LP between a bogus token and FAVOR
- Perform swaps to mint excessive ESTEEM rewards
- Convert ESTEEM back to FAVOR and other assets
- Amplify attack with flash loans for higher leverage
- Drain protocol assets across multiple transactions
- Attacker extracted 891M DAI, 9.05B PLSX, and 7.40B WPLS
Root Cause & Audit Misstep
The vulnerability was flagged in a prior audit, with recommendations to restrict reward logic to trusted pools and validate swap paths. However, the issue was downgraded in severity and left unpatched. This misjudgment enabled the attacker to exploit the minting mechanism and bypass fees entirely.
Aftermath & Recovery
BetterBank froze trading and engaged with the attacker. They managed to recover 550M pDAI through negotiations, but net losses stood at approximately $1.4 million. The team also drained FAVOR pools and announced a 20% bounty program to incentivize ethical disclosures.
Lessons Learned
- Don’t downgrade audit findings: Treat flagged vulnerabilities with seriousness, regardless of perceived difficulty of exploitation
- Secure reward systems: Verify swap paths and restrict bonus tokens to trusted pools only
- Universal fee logic: Apply fees consistently across all pools, even user-generated ones
- Continuous monitoring: Implement bug bounty programs, ongoing audits, and on-chain anomaly detection
Summary
| Aspect | Details |
|---|---|
| Trigger | Fake LP + flawed reward minting |
| Exploit Mechanism | Wash trading + bonus token minting + bypassed fees |
| Audit Failure | Known issue downgraded, left unpatched |
| Outcome | ~$5M drained; partial recovery left $1.4M loss |
| Key Insight | Edge cases in reward/token logic must be rigorously secured |
The BetterBank hack highlights how overlooked vulnerabilities can escalate into multimillion-dollar losses—reminding DeFi teams to prioritize rigorous audits, continuous monitoring, and proactive security culture.
.png&w=3840&q=75)
