Hidden in Plain Sight: How a New Liquidity Pool Exploit Was Uncovered by Coinsult

Coinsult recently identified and disclosed a previously undocumented rug-pull mechanism that could have resulted in the loss of millions of dollars across multiple Binance Smart Chain projects. The finding emerged during a routine deep-level contract analysis, where subtle interactions between anti-sniper logic and liquidity pool mechanics revealed a coordinated, insider-driven exploit rather than a typical
external hack.

At first glance, the affected contracts appeared familiar. They included common features such as adjustable taxes, max transaction limits, and anti-sniper protections designed to penalize bots buying during the first minutes after launch. These mechanisms are often marketed as investor-friendly safeguards. However, Coinsult’s analysts noticed that in this case, the anti-sniper system was not only overly powerful, but dangerously misused.

The key risk centered around how “snipers” were identified. During liquidity pool creation and early trading, the contract automatically flagged recipients as snipers if transfers occurred within a configurable launch window. Critically, this logic did not exclude the liquidity pair itself. As a result, the PancakeSwap pair address could be
silently marked as a sniper during normal liquidity addition, something most
users and even many auditors would not expect.

Once the pair address was flagged, the contract exposed a function named BurnSniperTokensBought. This function could be called by a privileged sniper manager role controlled by the token owner or their associates. When executed against the liquidity pair, it burned 99 percent of the tokens held by the pair, sending them to a dead address while leaving a negligible remainder.

This single action catastrophically broke the balance of the liquidity pool. With the token side of the pool nearly wiped
out, the attacker could then use standard Uniswap-style mechanics such as skim
or sync through a secondary helper contract. These are legitimate functions
intended to reconcile balances, but in this manipulated state they allowed the
attacker to drain nearly all the paired BNB from the pool.

What makes this scam particularly dangerous is that it operates after liquidity has already been added and, in
many cases, after LP tokens have been sold to third-party buyers. The scam
follows a clear pattern: inflate the perceived legitimacy of the project, sell
liquidity or LP positions to buyers, and only then trigger the exploit. When
the liquidity is drained, LP buyers are left holding assets with no underlying
value, while the scammers walk away with both the proceeds from selling the LP
tokens and the drained base currency from the pool.

Coinsult’s investigation concluded that this was not an accident or a misconfiguration. The presence of privileged roles, helper manager functions, and the precise sequencing required to execute
the drain strongly indicate an inside job. It is a coordinated attack model
designed to look like a standard anti-bot feature while secretly functioning as
a liquidity kill switch.

By identifying this mechanism early and publicly flagging it, Coinsult prevented widespread damage. Multiple projects
using similar patterns were reviewed, and warnings were issued before
significant capital could be deployed. In an environment where unaudited or
lightly reviewed contracts often attract large sums within hours, this
intervention likely saved investors millions of dollars.

The case also highlights a broader ethical stance that Coinsult has consistently reinforced through its work.
Liquidity buying, LP flipping, and similar schemes are fundamentally misaligned
with investor protection. Selling liquidity to buyers while retaining hidden
control paths to destroy that liquidity is not innovation, it is deception.
This incident demonstrates exactly why such practices are unsafe and why
transparency and independent review are essential.

Beyond the immediate financial impact, the discovery sets an important precedent for the wider security community. It shows that modern scams are no longer limited to obvious mint functions or blacklist toggles. They increasingly rely on combining otherwise legitimate features in malicious ways. Detecting them requires not only code reading, but a deep understanding of decentralized exchange mechanics and real-world attacker behavior.

At the time of discovery, two known projects had already fallen victim to this exploit, both of which had undergone audits conducted by third-party firms, not by Coinsult. Despite the presence of audit reports, the malicious logic went unnoticed, allowing the attacks to unfold without resistance. When Coinsult independently analyzed the pattern, the risk was quickly identified and publicly disclosed, including an immediate
warning shared on X to alert the broader ecosystem. This contrast underscores a
critical reality in decentralized finance: not all audits offer the same depth
or adversarial scrutiny. Working with a reliable auditor that actively searches
for abuse scenarios, rather than surface-level issues, can make the difference
between a protected project and a catastrophic loss.

Coinsult’s ability to uncover this exploit underscores the value of thorough, adversarial auditing. By thinking like an attacker rather than a marketer, the firm exposed a flaw that many would have overlooked. As decentralized finance continues to evolve, findings like this serve as a reminder that rigorous audits are not a luxury, but a necessity for anyone serious about building or investing in the space.