Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
The metaverse financial project Paraluni on the BSC chain was hacked, and the hackers made more than $1.7 million in profits. The problem lies in the depositByAddLiquidity method of the MasterCheif contract of the project side. This method does not check whether the token array parameter address[2] memory _tokens matches the LP pointed to by the pid parameter, and does not add lock when the LP amount changes. Attack method (per SlowMist): Reentrancy Attack. Reported loss: $ 1,700,000.
- chain
- bsc
- protocol
- Paraluni
- bug_class
- reentrancy
- date_occurred
- 2022-03-13
- loss_usd
- $1,700,000
- source_id
- sm:paraluni::2022-03-13