defirisk.co
rubric v1.7.0

MobiusDAO: Decimal handling double-multiplication bug in minting function — pennies-to-quadrillions inflation

MobiusDAO lasted 3 days before a double-multiplication bug in its mint function let an attacker deposit $0.67 and receive 9.73 quadrillion MBU tokens, which were sold to drain $2.15M in stablecoins.

Occurred 2025-05-11 Loss $2M Status closed

Summary #

MobiusDAO suffered a Stablecoin / Token Minting (unspecified DeFi + RWA narrative) on 2025-05-11, resulting in a loss of approximately $2M.

What happened #

MobiusDAO lasted 3 days before a double-multiplication bug in its mint function let an attacker deposit $0.67 and receive 9.73 quadrillion MBU tokens, which were sold to drain $2.15M in stablecoins.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — elementary double-multiplication bug]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed; 3 days old] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed; 3 days old] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
  • RD-F-046 — causal : ★ Contract unverified on Etherscan/Sourcify at launch [via cross-hack: Factor 30: Closed-Source / Unverified Contracts]
  • RD-F-076 — causal : Protocol age (days since first mainnet deploy) [via cross-hack: Factor 35: Protocol Age < 2 Weeks at Time of Hack] || Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: 3 days (launched May 8, exploited May 11, 2025)]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous — no publicly identifiable team members]
  • RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — all code freshly deployed; 3 days old]