Port3 suffered a critical exploit today. A single validation flaw inside Nexa Network’s cross-chain CATERC20 token standard opened the door to unauthorized minting and a rapid price collapse.
What followed was a full-scale breakdown of the token’s security model, a multi-address exploit, and now a complete token migration to stabilize the ecosystem.
The incident is not just another hack. It’s a textbook case of how a boundary-condition bug buried inside a cross-chain implementation can wipe out an entire token economy once ownership is renounced. And Port3 now confirms it is reissuing the token, burning team tokens to neutralize excess supply, and migrating entirely to BNB Chain.
Here’s the full breakdown.
A Vulnerability Hidden in CATERC20 Opened the Door
Port3 integrated Nexa Network’s CATERC20 standard to support multi-chain expansion. The goal was to power easy cross-chain messaging and token movement across several ecosystems.
But CATERC20 carried a critical vulnerability inside its boundary-condition validation logic.
Once ownership of the Port3 token contract was renounced, a move intended to increase decentralization, the validation function started returning a value of 0. That value matched the owner-verification condition, causing the ownership check to fail. As a result, the system treated unauthorized addresses as valid.
The flaw did not appear in the CATERC20 audit report.
Port3’s renounced-ownership status placed the token in the exact configuration where the vulnerability could be triggered. And once discovered, it opened the door to full unauthorized access.
Incident Report: $PORT3 Hacker Attack
PORT3 aimed to support the development of multiple chains, and therefore adopted @nexa_network’s cross-chain token solution, CATERC20. However, CATERC20 contained a boundary-condition validation vulnerability. After the token’s ownership…
— Port3 Network (@Port3Network) November 23, 2025
The Hacker’s First Move: Registering a Fake Authorized Address
The attacker located the authorization-verification bug inside the Port3 BSC-side contract and moved quickly.
At 20:56:24 UTC, from address
0xb13A503dA5f368E48577c87b5d5AeC73d08f812E, the attacker executed a RegisterChains operation.
He registered his own address as an entity authorized to perform BridgeIn operations, the exact function needed to mint tokens during cross-chain transfers.
With that single move, the attacker became “trusted” by the contract due to the broken ownership check.
Minting 1 Billion Fake Tokens Through a Cross-Chain Fraud Path
Next, the attacker deployed a fake token on Arbitrum One. He initiated a cross-chain transaction that would normally go through CATERC20’s validation pipeline.
But the BSC-side Port3 contract failed to validate correctly.
Because the owner-verification condition returned 0, and because the attacker’s address was already registered, the transaction passed as legitimate. The contract proceeded to mint 1 billion PORT3 tokens.
Those tokens were immediately dumped across multiple DEXs, collapsing PORT3’s price from $0.03 to $0.0063 within minutes.
The attack didn’t stop there.
The same exploit was repeated using additional addresses, including:
0x7C2F4Bbda350D4423fBa6187dc49d84D125551fF
The result was a cascading liquidity shock that erased nearly all market value before operations were halted.
Port3 Responds: Exchange Coordination and Full Contract Migration
Within minutes of the exploit, Port3 moved to freeze movement across centralized platforms. Major exchanges were contacted to suspend deposits and withdrawals until the situation became clear..
Shortly after, Port3 announced the next steps: a full token migration with strict protection measures for users. The team emphasized that holders would not lose any tokens and that all legitimate balances before the exploit would be restored.
Port3 Token Update │ Migration Plan
We are initiating a token migration to ensure ecosystem stability and protect user assets. The migration plan is as follows:
1. Migration Ratio
Snapshot was taken at 20:56 UTC (right after the attack). All tokens will be migrated at a 1:1…— Port3 Network (@Port3Network) November 23, 2025
The Migration Plan: A Safeguard for All Users
Port3 outlined a detailed recovery process designed to restore stability across the ecosystem.
1. 1:1 Token Migration
A snapshot was taken at 20:56 UTC, immediately after the attack.
Every user holding PORT3 before that timestamp will receive a full 1:1 replacement.
The same guarantee applies to CEX balances once exchange coordination is finalized.
Port3 emphasized clearly: “Your tokens are SAFU.”
2. On-Chain Multi-Send Distribution
All addresses from the snapshot will receive their new tokens directly.
Port3 will use multi-send transactions of 200–500 tokens per tx, distributing to every affected wallet.
CEX migration details are still being finalized.
3. The New Token Lives Exclusively on BNB Chain
This was already hinted at in April, but now it becomes final.
All PORT3 liquidity on Ethereum was scheduled to migrate to BNB Chain. After the exploit, Port3 confirmed that the new token contract will be deployed only on BNB Chain going forward.
The move improves consistency, simplifies security management, and avoids repeating the multi-chain vulnerability path that enabled this attack.
4. Team Tokens Burned to Offset the Unauthorized Mint
The exploit created 1 billion unauthorized tokens during the minting attack.
To preserve total supply integrity, Port3 will burn 162,750,000 team tokens, fully neutralizing the excess and ensuring that the attacker receives nothing from the new contract.
This prevents inflation, restores supply balance, and closes the hole left by the exploit.
A Reset, Not a Shutdown, “The Team Is Here to Stay”
Port3 made one message clear:
- The project is not going anywhere.
Despite the exploit, the team reiterated that development continues and that the ecosystem will recover stronger. The token migration is already underway, exchange reviews are happening in parallel, and trading will reopen once verification is complete.
Users were told to sit tight, avoid panic, and wait for the official restoration.
“All funds are SAFU.”
Conclusion: A Harsh Exploit, but a Full Rebuild Is Already in Motion
The Port3 exploit shows how fragile cross-chain token designs can be when a single validation pathway breaks. Once ownership was renounced, the CATERC20 flaw became catastrophic. A single boundary-condition error led to unauthorized registration, fake token minting, and a global price crash.
- But the response has been fast, coordinated, and transparent.
- The supply is being repaired.
- The token is being migrated.
- Users are protected.
- And the attacker’s mint is being fully neutralized.
Port3 is moving forward, on a new contract, on a single chain, and with rebuilt tokenomics designed to ensure this never happens again.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!