Root cause:

The vulnerable contract failed to properly validate or restrict the execution of a malicious payload sent with a native BNB transfer of 11 WBNB. The attacker exploited this by using a flash loan of 11 WBNB from a DVM pool, calling the victim contract with a crafted encoded payload (likely triggering an unintended function or logic flaw), and manipulating the PancakeSwap pair to extract 19.8 WBNB. The contract's lack of input sanitization or checks on the call function allowed the attacker to execute arbitrary logic, resulting in a net profit of ~8.8 WBNB after repaying the flash loan.

Vulnerable code snippet: The Contract is not verified on Bscscan.

Attack tx:

https://bscscan.com/tx/0x0fe3716431f8c2e43217c3ca6d25eed87e14d0fbfa9c9ee8ce4cef2e5ec4583c

Analysis: