The BNB Smart Chain (BSC) project GANA Payment was hit by a major exploit, resulting in losses exceeding $3.1 million, according to a report from on-chain researcher ZachXBT. The attacker successfully laundered a large portion of the stolen funds through the privacy mixer Tornado Cash, though approximately $1 million remains dormant on the Ethereum network.

ZachXBT revealed that the hacker consolidated the funds before moving 1,140 BNB, worth about $1.04 million, into Tornado Cash on BSC. The attacker then bridged assets to Ethereum and laundered an additional 346.8 ETH, valued at $1.05 million, through the same service.

Contract Manipulation Was Key to the Attack

Blockchain security firm HashDit quickly analyzed the breach, identifying that the attacker maliciously changed the ownership of GANA’s smart contract. This unauthorized control gave the hacker power over the protocol’s staking mechanism, allowing them to manipulate reward rates.

By invoking the unstaking function, the attacker was able to withdraw far more GANA tokens than they were entitled to. They then sold these excess tokens on the open market for more liquid assets before beginning the laundering process. HashDit has warned users to avoid trading GANA tokens until the project’s team provides an official update.

A Test for BNB Chain Security

This incident adds to the security challenges faced by the BNB Chain ecosystem. While a joint report from BNB Chain and Hacken noted a 70% decrease in losses from exploits between 2023 and 2024, isolated attacks continue to occur. Enhanced security protocols have been implemented across the network, but vulnerabilities persist.

Previous security events on the network include a September phishing attack where a Venus Protocol user lost $13.5 million, although the protocol itself wasn’t breached. In February, the meme coin platform Four.Meme also lost $183,000 in what appeared to be a sandwich attack. In response to the latest exploit, the GANA team acknowledged the external attack on its interaction contract and confirmed that an investigation is underway.