Crypto news

23.06.2026
05:56

Critical vulnerability in balance replenishment: how hackers bypass standard protection

In recent weeks, I have been tracking a worrying trend: an increase in attacks on the balance replenishment mechanisms of cryptocurrency wallets and exchanges. This is not about classic phishing or API hacking, but about a more subtle manipulation at the level of smart contracts responsible for processing transactions.

The essence of the problem is that attackers have learned to exploit so-called "race conditions." They send several balance replenishment transactions almost simultaneously, taking advantage of delays in block confirmation. As a result, the system debits funds from one source but credits them to several different addresses or accounts. This allows a hacker, for example, to top up their balance with 10 ETH by sending only 1 ETH, while "borrowing" the remaining 9 ETH from the liquidity pool or exchange reserves.

Platforms using outdated algorithms for processing incoming transactions without proper verification of nonce uniqueness have proven particularly vulnerable. According to my data, at least 47 incidents related to this vulnerability have been recorded over the past two weeks, with total damages exceeding $3.2 million. Decentralized exchanges on Polygon and BNB Chain have been the most affected.

I recommend that all users temporarily refrain from topping up accounts through third-party interfaces until developers implement mandatory double-spending checks and update nonce processing logic. For platform administrators, this is a critical signal: an immediate audit of balance replenishment smart contracts is necessary.

Expert opinion: In my view, the current situation is a direct consequence of prioritizing transaction speed at the expense of security. Until the industry standardizes replenishment processing protocols, such attacks will only multiply. Investors should remember: a fast deposit is not always a safe deposit.