A relatively obscure token called ATM, deployed on the $BNB Smart Chain (BSC), became the latest victim of a smart contract vulnerability. An attacker drained approximately $243,500 by exploiting non-standard logic in the token’s transferFrom() function.
Security monitoring platforms TenArmor flagged the incident on June 4, 2026. The alerts highlighted how custom token mechanics, often added for fees, liquidity provision, or rewards, can create serious exploitable weaknesses when not properly secured.
#CertiKInsight
We have seen an exploit of ~$243K on ATM token. The transferFrom() includes logic to swap 20% transfer amount of ATM for BSC-USD, so the attacker can repeatedly swap out extra after transfer.https://t.co/mf6uhujZgK
Stay vigilant! pic.twitter.com/hwN1B3Xt0m
— CertiK Alert (@CertiKAlert) June 4, 2026
According to CertiK’s analysis, the core issue lay in the token contract’s transferFrom() implementation. Instead of performing a standard token transfer, the function automatically triggered a swap of 20% of the transferred ATM amount into BSC-USD (or equivalent) through a decentralized exchange router.
This hidden behavior allowed the attacker to repeatedly initiate transfers that extracted far more value than normal approvals should permit. The main attack transaction hash is: 0x37b90a…dcfd86
Contract Address: 0x4fd087…d5a205
Blockchain security alerts detected the suspicious activity at an early stage. The attacker’s address, 0x7e7C1f…CdBAFE, has been associated with previous token contract exploits since 2025. The attack did not rely on flash loans or reentrancy but leveraged the unintended economic side effects of the custom transfer logic.
This latest incident adds to a worrying wave of exploits on $BNB Chain. Just days earlier, TesseraDAO was hit in a major attack where the exploiter minted roughly 99 million TSR tokens, dumped them, and drained around $2.5 million in USDT. The TSR token crashed nearly 99% following the incident.
Public information about the ATM project remains very sparse. There is no widely available official website, whitepaper, or detailed roadmap. The project does not appear to be a major DeFi protocol, and details regarding its intended use case, team background, or total value locked (TVL) before the exploit are not well documented.
As of June 5, 2026, the ATM project team has not issued any official public statement regarding the incident, whether the contract was paused, liquidity status, or any recovery efforts.
Such vulnerabilities are not isolated. In late May 2026, attackers exploited legacy liquidity lockers on DxSale and drained approximately $7.3 million from over 1,400 pools by manipulating unlock timestamps and withdrawing LP tokens. This shows how even older “locked” liquidity from previous cycles can remain at risk.
This incident serves as a classic example of the dangers associated with custom tax-on-transfer or auto-swap mechanisms in ERC-20-like contracts. While such features can serve legitimate purposes, they significantly increase complexity and the attack surface.
Blockchain security experts consistently warn that combining transferFrom() with external calls, such as to DEX routers, requires rigorous auditing, formal verification, and extensive edge-case testing.
- Always verify smart contracts thoroughly before interacting with them.
- Revoke token approvals regularly, especially for unknown or low-cap tokens.
- Prefer projects with multiple independent audits and transparent security practices.
Even though this is a mid-sized exploit by 2026 standards, such incidents continue to erode confidence in the broader DeFi ecosystem. Smaller tokens on chains like $BNB Smart Chain remain frequent targets due to rushed deployments and insufficient security measures.
Users are strongly advised to exercise extreme caution when dealing with new or low-visibility tokens.