.png){kind=small}
On 22 April 2026, the TimeBridge protocol was exploited through a cross-contract signature replay attack, resulting in the fraudulent minting of 519,000 TIME tokens on BNB Smart Chain, with a notional value of approximately $872,000 at the time of the incident. While heavy slippage significantly reduced what the attacker ultimately realized, the post-exploit fund movement that followed tells a more instructive story than the exploit itself.
This post covers the root cause, the on-chain behaviour after the fact, and what the laundering pattern reveals about how modern exploit proceeds are being managed.
The attack did not require compromising any private keys or bypassing signature verification in the conventional sense. Instead, it exploited a structural weakness in how the bridge designed its signing scheme.
The BSC TIME contract approved minting based on a message hash constructed from five fields: recipient address, source chain ID, destination chain ID, a lock ID, and amount. Critically, neither the target contract address nor any form of domain separation was included. A second bridge operated by the same infrastructure, handling a different token on Polygon, used an identical message format with the same validator signer set.
This meant that a valid signed message produced for one bridge flow was bitwise identical to a valid signed message for the other. The attacker provoked the validators into signing legitimate burn messages on the Polygon side and submitted those same signatures to the BSC TIME contract. The contract accepted them as valid and minted TIME against assets that had never been locked on the source chain.
Two fraudulent mints followed in quick succession. The attacker EOA, 0x80725752602613d05eec48d6b79abc54cc4af424, executed both transactions on BSC. Both tranches were sold into available liquidity, though aggressive slippage sharply compressed the actual proceeds. Ethereum and Polygon TIME supply remained unaffected; the incident was contained to BSC.
The technical fix is well understood: EIP-712 typed data with a proper domain separator, the contract address included in every signed payload, per-epoch mint caps, and an independent audit before any re-enablement. The weakness here was not in cryptography, but in message design.
What happened after the initial dump is where the compliance and investigative interest lies.
A portion of the proceeds was bridged from BSC to Base via a relaying service. Rather than sitting idle in a plain wallet, those funds were deployed into a yield-bearing DeFi position, specifically a concentrated liquidity vault managed through a third-party yield aggregator. This is a meaningful operational distinction. The actor was not simply moving funds toward an exit; they were actively parking and managing them inside DeFi infrastructure, adding a layer of complexity that a simple bridge-and-dump analysis would not surface.
The remainder of the proceeds followed a different path: conversion into BTC, with subsequent movement through services consistent with layering behaviour — nested infrastructure and exchange-style routing designed to reduce the traceability of funds and complicate chain-of-custody analysis.
Taken together, the post-exploit movement exhibits several indicators that compliance teams and investigators should treat as a recognisable pattern:
Multi-chain routing without a clear economic rationale. Moving from BSC to Base serves no yield or fee-optimisation purpose at this scale. It serves an obfuscation purpose.
DeFi deployment as a laundering layer. Depositing into a yield-bearing vault extends the time funds remain in the DeFi ecosystem, adds protocol interactions that fragment the trail, and can generate a superficially legitimate-looking transaction history.
Conversion to BTC. A well-established step in exploit laundering flows, typically used at the point where the actor wants to move value toward less-monitored infrastructure or prepare for fiat off-ramping.
Nested and intermediary service usage. Routing through services that aggregate or obscure the original source of funds is consistent with deliberate layering, not incidental routing.
The use of Base in this flow is operationally significant beyond this individual incident. As newer EVM-compatible chains attract genuine DeFi liquidity and yield infrastructure, they also become viable post-exploit environments — not just as transit chains, but as places where funds can be parked, compounded, and managed over time before moving further.
For compliance teams monitoring counterparty exposure and for investigators tracing exploit proceeds, the implication is straightforward: coverage of newer chains is no longer optional. Activity that originates on BSC or Ethereum and migrates to Base does not disappear — but it does become invisible to tools that treat Base as out of scope.
The behaviour observed in this case, including bridge arrival, DeFi deployment, and layered exit, is now traceable end-to-end on Base. Identifying when exploit proceeds enter yield infrastructure, attributing the deposit wallet to a known exploit event, and following the downstream transactions are all within reach for teams with the right chain coverage.
For protocol teams, the TimeBridge case is a reminder that shared infrastructure creates shared risk. Two bridges using the same signer set and the same message schema are not two independent security boundaries — they are one. Any assessment of bridge security should explicitly examine whether a valid signature from one flow could be accepted as valid by another.
For compliance and risk teams, the pattern here — exploit on one chain, bridge to a newer chain, deploy into DeFi, convert a portion to BTC — is becoming more common, not less. Screening counterparty addresses against a single chain, or treating DeFi interactions as inherently lower-risk because they involve established protocols, will produce blind spots.
The sophistication required to execute this kind of post-exploit management is not exceptional. What is exceptional is the operational awareness that newer chain environments offer reduced surveillance coverage. That assumption is becoming less reliable.
If you are investigating this incident or want to understand your exposure to exploit-linked fund flows across BSC, Base, and other supported chains, contact us to speak with our intelligence team or request a product demonstration.
