In January 2026, the BNB Chain staking protocol TMXTribe lost approximately $1.4 million through a reward-distribution accounting flaw allowing repeated over-claims that drained the reward reserve.
What happened
TMXTribe's reward accounting could be gamed to credit disproportionate rewards per interaction; looped claims drained the reserve before the team paused.
Aftermath
- Paused; limited recovery.
Why it matters
TMXTribe is — once more — the reward-accounting double-dip (Popsicle, Level Finance, Bent, The Idols NFT, BetterBank). Its value in the catalogue is purely cumulative: by 2026, this is among the single most-repeated bug classes in DeFi history, and its persistence is the strongest possible evidence for the catalogue's central thesis — knowing a vulnerability class as an industry does not stop individual teams from shipping it; only mandatory invariant/formal verification of value-moving accounting does, and most protocols still don't do it.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-tmxtribe-incident-january-2026
- [02]rekt.newshttps://rekt.news/tmxtribe-rekt