AISOTH Presale Exploit: How an Attacker Turned $0 Into $30,000 in a Single Transaction

Most people imagine a crypto hack involving stolen private keys, phishing campaigns, or sophisticated smart contract vulnerabilities.

The AISOTH exploit was none of those.

The attacker needed no special permissions, no compromised keys, and no hidden backdoor.

Instead, they used only public functions available to every user and extracted over $30,000 in profit from a single atomic transaction.

Even more surprisingly, five days later, the funds remain untouched in the attacker’s wallet.

This is the story of how a seemingly harmless presale design turned into a risk-free arbitrage opportunity.

Executive Summary

Chain: BNB Smart Chain

Loss: $30,314.76

Attack Type: Presale Instant Claim Exploit

Capital Required: $0 (Flash Loan Funded)

Transactions Required: 1

Special Permissions: None

Current Status:

Funds remain in attacker’s wallet

Unlike most DeFi exploits, the attacker did not break the protocol.

The protocol behaved exactly as designed.

That design was the problem.

The Critical Mistake

AISOTH operated a standard presale model.

Users would:

1. Buy tokens during presale
2. Wait for the claim period
3. Claim their tokens later

At least, that was the intended flow.

The vulnerability existed because the protocol never actually enforced the waiting period.

The contract checked only one thing:

“Has this address purchased tokens?”

It never checked:

“When were those tokens purchased?”

As a result, anyone could:

Buy → Claim → Sell

all within the same transaction.

That single missing condition created a completely risk-free arbitrage opportunity.

Why the Economics Were Broken

The attack was only possible because of a massive price gap.

The discount itself wasn’t the issue.

Presales commonly offer discounted tokens.

The issue was allowing those discounted tokens to become immediately liquid.

Once that happened, the market effectively offered free money.

All an attacker needed was enough temporary capital.

Flash loans solved that problem instantly.

The Entire Attack Happened in One Transaction

The exploit was executed atomically.

If any step failed, everything would revert.

If it succeeded, the attacker walked away with profit.

This eliminated virtually all risk.

Step 1 — Borrow Funds

The attacker borrowed:

5,746.57 USDT

from a PancakeSwap liquidity pool using a flash loan.

No collateral.

No upfront capital.

Step 2 — Buy Presale Tokens

The borrowed USDT was sent to the AISOTH presale contract.

The attacker received an allocation of:

164,187 AIS

at the presale price.

At this stage, everything looked like normal user behavior.

Step 3 — Trigger the Vulnerability

Immediately after purchasing, the attacker called:

The contract approved the request.

No waiting period.

No vesting.

No claim window.

The attacker instantly received all presale tokens.

This was the critical failure point.

Step 4 — Accept the Token Tax

AISOTH included transfer-tax mechanics.

Several thousand tokens were burned or distributed through protocol fees.

After deductions, the attacker held:

159,262 AIS

The reduction was insignificant compared to the arbitrage opportunity.

Step 5 — Dump on PancakeSwap

The attacker sold all received AIS tokens into the existing PancakeSwap market.

Result:

36,075.73 USDT received

The presale discount had now been converted directly into cash.

Step 6 — Repay Flash Loan

The flash loan was repaid immediately.

Repayment:

5,760.97 USDT

Remaining profit:

30,314.76 USDT

Total attacker capital invested:

$0

Execution time:

One block

The Most Interesting Part

Most exploiters begin laundering funds almost immediately.

That has not happened here.

As of June 10, 2026:

• No exchange deposits
• No bridge activity
• No mixers
• No secondary wallets

The funds remain parked in the original attacker-controlled address.

This leaves two possibilities.

Scenario 1 — Strategic Delay

The attacker may be waiting for monitoring activity to cool down before moving funds.

This is common among experienced exploiters.

Scenario 2 — White Hat Intent

The attacker may have conducted the exploit to demonstrate the vulnerability and could be preparing a disclosure or negotiation with the protocol team.

At the moment, on-chain evidence supports neither theory conclusively.

What Developers Should Learn

This incident highlights a recurring lesson in DeFi security.

The biggest risks are not always code bugs.

Sometimes they are economic bugs.

The AISOTH contracts functioned exactly as written.

The vulnerability emerged because the economic assumptions behind the design were never enforced on-chain.

Three principles stand out:

Presale Discounts Must Have Lockups

If discounted tokens can be sold immediately, the discount becomes an arbitrage mechanism.

Assume Infinite Capital

Flash loans mean attackers effectively have unlimited temporary liquidity.

Designs that rely on capital constraints are already broken.

Test Economic Behavior, Not Just Code

Unit tests verify technical correctness.

They do not verify economic safety.

Protocols need adversarial simulations that ask:

“What happens if every public function is used in the most profitable way possible?”

Conclusion

The AISOTH exploit did not require hacking.

It required reading the rules.

The attacker simply followed the protocol’s intended execution path and discovered that the path itself created free money.

One transaction.

Zero capital.

Zero permissions.

Over $30,000 in profit.

The most dangerous vulnerabilities are often the ones that execute exactly as designed.