The BetterBank project, which positions itself as a decentralized banking protocol on PulseChain, suffered an exploit in which an attacker siphoned assets valued between $1 and $5 million. The root cause was a vulnerability in the liquidity mining bonus system: the smart contract allowed the creation of fictitious pairs with the FAVOR token, enabling rewards to be claimed even when the paired asset had no intrinsic value.
BetterBank had originally incentivized users to create liquidity pools with FAVOR, granting ESTEEM tokens as rewards. However, investigations revealed that the contract failed to validate the authenticity or value of the second token in the pair. Moreover, the attacker bypassed taxation on the mass issuance of rewards by using external pairs. This loophole allowed the minting of a significant number of tokens, rapidly draining the project’s reserves.
The incident was detected within the past 24 hours when the team noticed abnormal withdrawals and quickly suspended protocol operations to mitigate losses. According to BetterBank, part of the stolen funds has already been covered by reserve pools. Developers pledged to relaunch the rewards contract with improved logic and promised an airdrop to compensate previous participants affected by the exploit.
At the time of the attack, BetterBank ranked among the top five DeFi protocols on PulseChain, recently reporting $30 million TVL (total value locked). Post-breach, liquidity plummeted to $9.96 million, while $10.31 million remains tied in circulating loaned liquidity. The impact extended beyond BetterBank itself, as PulseX, a token paired in the liquidity pools, lost more than 15% of its value.
PulseChain as a whole has continued to grow, recently reclaiming more than $300 million in total liquidity, but the BetterBank exploit has once again spotlighted the security weaknesses of niche blockchains. Researchers attributed the breach to weak verification of liquidity sources and leftover “low-hanging fruit” in the contract — scenarios that enabled attackers to generate fake activity and claim real tokens.
The hacker successfully moved assets beyond PulseChain, transferring 215 ETH to Ethereum’s mainnet to improve laundering prospects. At publication time, the attacker still held roughly 700 million pDAI, pending bridging for conversion. The project team has sent a message to the attacker’s wallet, though no response has been received.
Shortly after the exploit, the attacker converted part of the stolen assets into 309 ETH — worth about $1.4 million — and unexpectedly returned 550 million pDAI (around $2.7 million) of the 700 million originally taken. Whether this partial return was a sign of remorse, an attempt at negotiation, or a calculated move to legitimize the remaining funds remains uncertain.
While BetterBank’s financial damage is estimated in the millions, the true cost may prove far greater — encompassing diminished trust, token devaluation, and a reputational blow to the entire PulseChain ecosystem.
