The ATM token on BNB Chain was exploited for approximately $243,000 to $243,500, according to security alerts and subsequent market reporting. CertiK publicly flagged the incident on June 4, 2026, saying the exploit involved custom logic inside ATM’s transferFrom() function.
The incident should be framed as a contract-logic exploit tied to a non-standard transfer function, not as a confirmed private-key compromise or broad BNB Chain failure. The affected transferFrom() function included a mechanism that swapped 20% of the transferred ATM amount into BSC-USD, which the attacker repeatedly triggered to extract value.
We have seen an exploit of ~$243K on ATM token. The transferFrom() includes logic to swap 20% transfer amount of ATM for BSC-USD, so the attacker can repeatedly swap out extra after transfer.https://t.co/mf6uhujZgK
Stay vigilant! pic.twitter.com/hwN1B3Xt0m
— CertiK Alert (@CertiKAlert) June 4, 2026
Transfer Logic Became the Attack Path
PANews, citing TenArmorAlert monitoring, reported the loss at approximately $243,500 and identified the attack transaction hash as 0x37b90a337075cd2feea93b12780abe9f953dad476e1c1418a02447aaa6dcfd86. That transaction hash should be used as the primary on-chain reference, while any broader reconstruction of attacker wallets, swap paths or remaining balances should be attributed to a dedicated explorer or security-firm analysis.
The exploit did not appear to rely on a normal market sell-off alone. The reported weak point was embedded tokenomics logic inside a basic transfer pathway, where the function did more than move approved tokens and instead triggered a swap tied to the transfer amount.
That distinction matters because standard ERC-20 transferFrom() behavior is expected to enforce allowance-based movement from one account to another. In ATM’s case, the custom swap behavior created an additional execution path, allowing the attacker to repeatedly activate the conversion mechanism and pull out BSC-USD beyond what the contract should have permitted.
Recovery Status Remains Unclear
There’s no formal statement from the ATM team, a public postmortem, a confirmed contract pause or a recovery plan. Until those details are published, the safest editorial framing is that the vulnerable transfer logic was reported by third-party security monitors, while project-side remediation remains unconfirmed.
The incident also highlights a recurring risk in smaller token contracts. Transfer taxes, automated swaps, buybacks and liquidity-support mechanics can expand the attack surface when they are embedded directly into transfer functions without strict accounting, limits and edge-case protections.
The confirmed facts remain narrow: ATM suffered an estimated $243,000 to $243,500 exploit on BNB Chain, with the attack tied to custom transferFrom() logic that repeatedly swapped a portion of transferred ATM into BSC-USD. Claims about final fund location, compensation, contract replacement or full root cause should wait for a formal project or security-firm postmortem.