Apr 2025 - AIRWA Access Control Public Burn Rate Function Exploited - $34k (Global)
The AIRWA smart contract/token was created in the morning of April 3rd, 2025.
Unfortunately, the contract was launched with a lack of access control on the setBurnRate function, allowing funds to be drained.
The exploit of the $AIRWA token on the Binance Smart Chain (BSC) on April 4th stemmed from a critical access control vulnerability in the token's smart contract. Specifically, the contract exposed a public setBurnRate() function, which allowed any user to arbitrarily modify the burn rate of the token — a parameter that controls how much of the token is destroyed or removed from circulation during transfers or conversions.
The attacker exploited this flaw by calling setBurnRate() and setting the burn rate to a maliciously high or strategic value. This manipulation altered the internal tokenomics, allowing the attacker to trade a very small amount of $AIRWA (about 12 AIRWA tokens) and extract a disproportionately large amount of BNB — roughly 57 BNB, worth around $34,000 at the time. Because this function should have been restricted to the contract owner or admin, the lack of proper access control was the root cause of the vulnerability.
The attack involved three key addresses:
Attacker’s wallet: 0x70f0406e0A50C53304194B2668Ec853D664a3D9C
Attack contract: 0x2a011580f1b1533006967bd6dc63af7ae5c82363
Targeted AIRWA contract (non-open source): 0x3af7da38c9f68df9549ce1980eef4ac6b635223a
TenArmor has reported the amount lost as $33.6k USD.
The incident was reported by third parties such as TenArmor, CertiK, and GoPlus. However, there is no indication that this project has issued any response.
There were some public news reports. There is no indication of any investigation or recovery effort by the project.
There is no indication that any funds have been recovered.
The funds appear to be permanently gone.
Further Analysis
The $AIRWA token on Binance Smart Chain was exploited due to a critical vulnerability in its smart contract. Launched just a day earlier, the contract lacked access control on its setBurnRate() function, allowing anyone to change the token’s burn rate. The attacker exploited this flaw to manipulate the tokenomics and trade ~12 AIRWA for ~57 BNB (worth approximately $33.6K). The project has not issued any public response, and there is no indication of recovery efforts. The stolen funds appear to be permanently lost.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Mochi DeFi Contract Multiple Transactions Suspicious Attack > > < < OPC Token Flawed Sell Burn Mechanism Price Logic Exploited
Sources/Further Reading
TenArmor - "Our system has detected a suspicious attack involving #AIRWA on #BSC, resulting in an approximately loss of $33.6K. A Rug or a simple access control issue?" - Twitter/X (Dec 31)
Attack Transaction - BSCScan (Dec 31)
The AIRWA Exploiter - BSCScan (Dec 31)
GoPlusZH - "On April 4, an attack on $AIRWA on BSC resulted in a loss of 56.73 $BNB (~$34K). The attack was due to an access control vulnerability in $AIRWA's setBurnRate() function, which allowed the hacker to modify system parameters and exchange ~12 $AIRWA for ~57 $BNB." - Twitter/X (Dec 31)
The AIRWA contract was exploited by attackers, resulting in a loss of approximately $34,000 - Chain Catcher (Dec 31)
CertiK - "This morning AIRWA on BSC was exploited for ~$34k. The contract has a public setBurnRate() function which the attacker changed to burn AIRWA tokens and profit." - Twitter/X (Dec 31)
AIRWA Suffers $34,000 Loss in BSC Network Attack - Binance Square (Dec 31)
The AIRWA contract was exploited by attackers, resulting in a loss of approximately $34,000 - BitGet (Dec 31)
AIRWA Contract - BSCScan (Dec 31)
AIRWA Contract Creation - BSCScan (Dec 31)
AIRWA PancakeSwap Contract - BSCScan (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|