The BXH staking pool smart contracts on BSC, Avalanche, and HECO Chain include a privileged function named inCaseTokensGetStuck, shown below. The function is labeled as public with an onlyEmergencyWithdraw restriction. If called after the beta, the function would allow transfers of tokens held within the pool to a specified address.

An attacker invoked this privileged function on all three chains, draining tokens from the staking pools and transferring all stolen tokens to Ethereum. The stolen funds were then laundered via Tornado Cash.

Centralized functions such as the inCaseTokensGetStuck functions in these contracts represent a serious security risk in smart contracts. While this incident is alleged to be a phishing attack, these functions can also be abused by the team behind the project in rug pulls.

Security vulnerabilities like this function can and should be identified and remediated as part of smart contract security audits. Learn more about scheduling a smart contract security audit for your project by reaching out to our Web3 security experts at halborn@protonmail.com.