Summary
Two days ago, a bug was discovered.
Attackers have exploited our uninitialized ERC1967Proxy contracts (OZ common proxy standard), front-running deployers to set malicious implementations & spoofing. This bug unfortunately allowed the attacker to mint 1M $PUNDIAI tokens on 12 July UTC +8.
We have responded swiftly, including recovering > 70% (710,193 PUNDIAI) of the attacker minted PUNDIAI. Also, we managed to lock and recover ~$275k worth of attacker assets. Unfortunately, the attacker managed to get away with ~$260k worth of assets as it was already swapped from PUNDIAI into ETH/USDT/BNB.
Below is the post mortem report.
Background of exploit
This exploit surfaced recently and external reports believe it is widely affecting protocols that use the ERC1967Proxy contract (see screenshot below). Attackers deployed and set the malicious implementation contracts before the team did, and it was not detected, as fake upgrade events were emitted to deceive even Etherscan’s UI.
Attackers then attacked en masses starting from 10 July, we were unfortunately hit by the attack on 12 July alongside others.
First attack & our response.
The attack began on 12th July 2:12pm. Attacker minted 100M of $FX and swapped into 1M $PUNDIAI, ~11.75% of our circulating supply. We were alerted. It happened right after minting. The attacker first targeted liquidity on Pundi AIFX Omnilayer, bridging 400k PUNDIAI into Pundi AIFX Omnilayer at 2:15pm and started selling. We responded by freezing attacker funds 264,000 PUNDIAI and ~$96k of assets worth ~21.88 WETH, ~20,172 USDT and 21,938 PUNDIX. We close the bridge the same day at ~4pm.
Second attack & response.
Attacker moved 101,000 PUNDIAI from Ethereum to BSC using third party bridge Axelar at 3:14pm and started selling, the price dropped from $6.55 to $5.88 before quickly recovering at ~$6.30. The team and community removed liquidity starting from 4:55pm on BSC, squeezing out liquidity for attackers to sell. Since PUNDIAI token contract is deployed by Axelar, there is no freeze function, Axelar has assisted in limiting their bridge transfer to very small amounts of PUNDIAI.
In Pundi AIFX Omnilayer, the attacker sold and transferred to Ethereum about ~$88k USD worth of 81,022 PUNDIX, 13.828 ETH and 20,114 USDT. The attacker also moved from Pundi AIFX to BSC 40,263 USDT.
CEX response
CEX has frozen deposits of PUNDIAI on the same day of attack. We thank the respective CEX for reacting quickly.
Second day response
A day after the attack is Sunday Singapore time, we continue to monitor the situation and burn the attackers PUNDIAI on Ethereum. We did an emergency upgrade on Pundi AIFX Omnilayer to allow us to freeze only attackers funds and allow non attacker funds to be transferable, by now our Pundi AIFX Omnilayer is back to normal. Our thanks to partner validators for helping perform an emergency upgrade over the weekend.
As PUNDIAI transfer function is frozen on Ethereum, the attacker was unable to move ~180k of stolen USDT as it is in the form of USDT-PUNDIAI Uniswap LP. We could independently unfreeze a company address and swap out the 180k USDT stolen funds he made from providing liquidity into PUNDIAI-USDT and recover those funds.
Third day response (today)
~$265k worth of crypto and 710,193 PUNDIAI are locked or recovered by the team, while ~$260k worth of crypto is considered lost as it was swapped into ETH/USDT/BNB. There are still 78,191 PUNDIAI in BSC which we are unable to freeze as it is a third party implementation by Axelar which does not have the freeze function.
What happens next?
We will begin to unfreeze PUNDIAI on Ethereum in the coming days. Pundi AIFX Omnilayer is already unfrozen yesterday (13 July) and back to normal, and the attackers’ funds on Pundi AIFX are frozen forever. We will also communicate with CEX to resume deposits once we unfreeze PUNDIAI on Ethereum.
As for BSC, we are engaging Axelar and Pancake swap team, the current plan is to deploy a new PUNDIAI BSC token contract and replace it for PUNDIAI holders except for the attacker. This is because we cannot freeze the attacker’s funds. If we proceed with a new BSC token contract, it should happen in a week with snapshot being taken anytime now.
In conclusion we managed to recover >70% of stolen PUNDIAI we look forward to resuming PUNDIAI all chains over the next few days to a week.
—------------------------------------------end—-------------------------------------
transaction details
As of 15:53pm 13th July the impact is as below:
Funds recovered or locked (~275k worth of crypto and 710,193 PUNDIAI)
- Ethereum 446,194 PUNDIAI (burnt)
- fxcore 263,999 PUNDIAI (locked)
- fxcore 21.88 WETH (locked)
- fxcore 20,172 USDT (locked)
- fxcore 31,938 PUNDIX (locked)
- Ethereum 180,000 USDT (recovered)
Funds lost (~$260k worth of crypto and 78,191 PUNDIAI still held by attacker)
- Ethereum 22.55 ETH
- BSC 8.73 BNB
- BSC 56,595 USDT
- BSC 12,191 PUNDIAI
- Ethereum 23,417 USDT
- BSC 109,006 USDT
- BSC 66,000 PUNDIAI (pancake LP)
Use DeBank to check how the attacker is moving the funds.
| — — — -Attacker mint — — — -|
https://etherscan.io/tx/0xec62e8b1c9f47c73825cab1c680c18cf27c41b66c77433aa5ae178455187336a
7-12–2025 14:12:23 UTC+8:Attacker uses swap contract to invoke pundiai token mint function and mints 1M $PUNDIAI https://etherscan.io/tx/0xd54ed7443aaf0d256aefe1797c32487e1ea5200c3d38b7a47ab02019caad0c56
Minted token sent to 0x26bC046BFA81ff9F38d0c701D456BfDf34b7F69c.
| — — — -Attacker bridges into Pundi AIFX Omnilayer— — — -|
7-12–2025 14:15:35 UTC+8: Attacker bridges 400k PUNDIAI into Pundi AIFX Omnilayer (aka FXCore) https://etherscan.io/advanced-filter?fadd=0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c&tadd=0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c&txntype=2&ps=100&mtd=0x6189d107%7eSend+To+Fx
Attacker starts swapping PundiAI token toUSDT/ETH/PUNDIX tokens https://etherscan.io/advanced-filter?fadd=0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c&tadd=0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c&ps=100&mtd=0x332caa1f%7eSubmit+Batch
bridge the swapped USDT/ETH/PUNDIX back to Ethereum because he knows we can halt our own chain.
https://etherscan.io/advanced-filter?fadd=0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c&tadd=0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c&ps=100&mtd=0x332caa1f%7eSubmit+Batch
|
https://etherscan.io/tx/0x27f8916c9e42b15a5ed4815633c32f721133bd7d12bde08a549b973e4b8080ca | 17,145.045471 | Pundi X Token(PUNDIX) |
| https://etherscan.io/tx/0xb5e1f381296c441fc6b9f6c25480f5bff910a53a9db517bf6214e48b038875d9 | 63,877.272683 | Pundi X Token(PUNDIX) |
| https://etherscan.io/tx/0x3230a25503329e6943bfa496e958c7cbc920e101e3b39f59962ffd648a504606 | 3,364.888568 | Tether USD(USDT) |
| https://etherscan.io/tx/0x3bd0c63790e6655c3cd4d4cfb175b45efd77c982a5316ff22cfdc5056c994399 | 5,576.327471 | Tether USD(USDT) |
| https://etherscan.io/tx/0xd3bf5fa6f270086fb4d9bef92b6f1099f97dcce029b20dcf41224e7a77cf058d | 3,914.610762 | Tether USD(USDT) |
| https://etherscan.io/tx/0x80ad7d3df3a4714a1c130cc49a5d7c79dd3031ed14c967446e8cf0efdbffcf60 | 6.574161 | Wrapped Ether(WETH) |
| https://etherscan.io/tx/0x1e7b8960e2afac3225101fb6490e2d5e84d752340a4c2eb7181fa14153376cba | 3,633.715674 | Tether USD(USDT) |
| https://etherscan.io/tx/0x0aa7107250bb4c5424309acc0266724150f3638dc643dd434a35f87f3db822a0 | 4.701694 | Wrapped Ether(WETH) |
| https://etherscan.io/tx/0xea0cda50aa0cdf3b4ea49a37ed3c30e8b312431ce880091d892ab596b405cad1 | 2.552301 | Wrapped Ether(WETH) |
| https://etherscan.io/tx/0xa13221cc4c2ca567580efbb47f5d92b4f532ae78626b8dfb57010468613fc0e0 | 3,624.952701 | Tether USD(USDT) |
| — — — -Attacks on BSC — — — -|
Attacker moves 101,000 PUNDIAI from Ethereum to BSC using Axelar.
0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c
0x7567a0417c62624d47fa4846e4f969737a4f7259
https://bscscan.com/tx/0xbf772f72c6b83f9d603e292804bf18c7795a57dd99d3f728f44eff40fbffd927
https://bscscan.com/tx/0x59204ba72fd7c03f8510825221e5d7df1b845eb2b59b43bb058f5f9271d1757e
| https://bscscan.com/tx/0xf76624299dd4a90883e0feaa8e81398e22f481502c6f6141243f876950b485c3 | 2025–07–12 07:14:58 | 2,813.077181 | BSC-USD |
| https://bscscan.com/tx/0x8262d2d6577c8acf102c375ae8154f03db532f30f7caeee7da535048384b99a2 | 2025–07–12 07:21:58 | 3,602.740028 | BSC-USD |
| https://bscscan.com/tx/0x41b27446d9752a96eff8ee71618f0ff5302f0a9d8ee1cb71938f0e8c2cf7e3ba | 2025–07–12 07:23:00 | 3,693.899162 | BSC-USD |
| https://bscscan.com/tx/0x0653f020682f192f9ff5b5419badf8550a333d7092cb51e7a4c104b475f041e0 | 2025–07–12 07:31:57 | 2,814.667398 | BSC-USD |
| https://bscscan.com/tx/0x2d2631cd051eaa4ad72ee428ae87f08ba60f1db924248eaa891d99f29b12079d | 2025–07–12 07:41:17 | 5,544.187876 | BSC-USD |
| https://bscscan.com/tx/0x3f246f157abc86c4191308866269de82464fb541e0c60eb23d39d0f7a6b792fc | 2025–07–12 07:41:24 | 4,587.203382 | BSC-USD |
| https://bscscan.com/tx/0x5ab43437918a4cf3b8ae6f1d54bdcfd7fb6a702fb1041777d8c40c002185505d | 2025–07–12 07:42:00 | 2,381.041867 | BSC-USD |
| https://bscscan.com/tx/0x50f7f20842f0f1dfd4ae7a077d7ea0613954b03510ceacfd84a228b214abdf92 | 2025–07–12 07:45:21 | 2,897.057175 | BSC-USD |
| https://bscscan.com/tx/0x6554017ef213ed2c48f7515252c880c89ff9c9cc471cc3307af299b8ac9e9535 | 2025–07–12 07:58:58 | 5,589.279231 | BSC-USD |
| https://bscscan.com/tx/0x3484aa101fcaa5da1f3ca2518e0e6f5718be3b8ff350fbc61ad1b93767668c02 | 2025–07–12 08:01:59 | 6,340.043072 | BSC-USD |
| — — Burning attacker PUNDIAI tokens on Ethereum — |
uniswap v4 pool manager (0x000000000004444c5dc75cB358380D2e3dE08A90): 10000
https://etherscan.io/tx/0xa004909b7be6c4fd38525636162e096cef344d6565bd3eed36d6aa63548a716a
uniswap v4 pool manager (0x000000000004444c5dc75cB358380D2e3dE08A90): 40000
https://etherscan.io/address/0x0f413055adef9b61e9507928c6856f438d690882
0x26bc046bfa81ff9f38d0c701d456bfdf34b7f69c
https://etherscan.io/tx/0x033173d2b3361625844b1201661ea68f3347672bd0188414df3eb31116951571
446194.735104745692945728 PUNDIAI burnt
All user funds remain safe and unaffected