Keypoints
- Check Point’s Blockchain Threat Intelligence flagged a pool-manipulation attack that caused a ~22,000% WIZ price surge and an $80,000 theft.
- The attacker used two wallets: 0x48F7661E84A823505d683D092a2DccdA1e5aA119 (deployer) and 0x151a2498826F9fe6f214C92bB1811f7d1153b630 (malicious operator).
- The WIZ token contract (0x2ae38b2b47bf41ba4ab8f749b092fdd02b00bc1e) and its LP pair (0x6e0367d897a8fd8bcbc44b4e2a14bafa904360aa) were deployed by the attacker.
- Attack logic lived in a malicious contract (0x796042E0032aC5247bc04A49102d49c5b5A5cF0c) that exposes a ‘brr’ method (0x5606de36) to trigger burns and a later sell (method selector referenced as 0xf77).
- The attacker disabled protections by calling removeLimits, renounced ownership, and relied on hardcoded exclusions (mktRecevier) to bypass fee/tx limits before invoking the burn/sync/sell sequence.
- Sequence: burn tokens from the WIZ/WETH pool to skew reserves, call sync to update pool ratios (raising WIZ price), then execute a sell to realize proceeds (~$80K).
- Malicious transaction recorded on Etherscan: https://etherscan.io/tx/0x85ebb1b1d6f091a2d72c4cffb66beea0552a07b2efabb5fd53d4198f8d159b64
MITRE Techniques
- No MITRE ATT&CK techniques are explicitly mentioned in the article.
Indicators of Compromise
- [Ethereum transaction] Malicious transaction demonstrating the attack – https://etherscan.io/tx/0x85ebb1b1d6f091a2d72c4cffb66beea0552a07b2efabb5fd53d4198f8d159b64
- [Wallet addresses] Attacker/deployer and operator wallets – 0x48F7661E84A823505d683D092a2DccdA1e5aA119, 0x151a2498826F9fe6f214C92bB1811f7d1153b630
- [Token contract] Target token and pair addresses – WIZ token 0x2ae38b2b47bf41ba4ab8f749b092fdd02b00bc1e, LP pair 0x6e0367d897a8fd8bcbc44b4e2a14bafa904360aa
- [Malicious contract] Operator contract used to trigger exploit – 0x796042E0032aC5247bc04A49102d49c5b5A5cF0c
- [Function selectors / methods] Exploit and sell functions referenced – brr methodID 0x5606de36, and a later sell call referenced as 0xf77
The technical procedure began with the attacker deploying the WIZ token contract (0x2ae38b2b47bf41ba4ab8f749b092fdd02b00bc1e) and creating a WIZ/WETH liquidity pair (0x6e0367d897a8fd8bcbc44b4e2a14bafa904360aa). Separately, the attacker controlled a malicious contract (0x796042E0032aC5247bc04A49102d49c5b5A5cF0c) containing a ‘brr’ function (methodID 0x5606de36). The token contract included administrative controls and safety checks (limitsEnabled, _isExcludedFromFees and _isExcludedForMaxTxAmount) that the attacker deliberately disabled or bypassed by calling removeLimits and renouncing ownership, and by setting a hardcoded market receiver (mktRecevier) to be excludedFromMaxTranscation.
With protections removed and the malicious contract marked as excluded for max transaction limits, the attacker invoked the malicious contract’s transfer logic to call the token contract’s internal burn path. The burn reduced WIZ supply inside the WIZ/WETH pool, forcing the pool formula to rebalance and sharply inflate the WIZ price. The malicious contract then calls sync (to update on-chain pool reserves) and executes a sell routine (selector noted as 0xf77 in the analysis), converting inflated WIZ into WETH and extracting proceeds.
In short, the exploit workflow was: deploy token + LP, embed a backdoor/hardcoded exclusion for the operator, disable limits and renounce ownership to evade checks, burn tokens inside the LP to distort the pool ratio, sync the pool to lock in the inflated on-chain price, and then sell tokens to drain approximately $80,000. The attack is visible on-chain via the referenced Etherscan transaction.