According to SlowMist, the attacker bypassed an onlyOwner access check when the contract owner was set to address(0), then converted inflated tokens into Wrapped Ether through PancakePair.
SlowMist said an access control flaw in the ONTR token contract allowed an attacker to steal 49.4801 WETH, worth about $98,000. The issue stemmed from the contract’s onlyOwner check failing when the owner was address(0), which let the attacker call privileged functions without authorization. SlowMist said the attacker then inflated token balances through contract functions and swapped the tokens for WETH through PancakePair. The incident highlights how misconfigured ownership logic can undermine smart contract security and allow unauthorized minting or balance manipulation.