Solv Protocol Vulnerability Exploited:
Attacker Reaps $2.7 Million in Illicit Profits
The BRO-SOLV-20MAY2026 contract under Solv Protocol has been exposed for a critical logic flaw. An attacker exploited the callback mechanism triggered by doSafeTransferIn to execute a double-minting attack. By leveraging only 135 initial tokens, the exploiter managed to mint assets out of thin air, subsequently swapping them for SolvBTC valued at approximately $2.73 million.
AUTOSEC.DEV
- Date of Attack: March 6, 2026
- Target Project: Solv Protocol
- Target Asset:
BRO-SOLV-20MAY2026Contract - Target Overview: Solv Protocol is a decentralized asset management platform. Its
BRO-SOLV-20MAY2026contract allows users to mint corresponding Bitcoin Reserve Offering (BRO) tokens by depositing ERC-3525 Semi-Fungible Tokens (SFTs). - Total Loss: Approximately $2.73 Million (38 SolvBTC)
- Attack Vector: Smart Contract Logic Flaw / Reentrancy via Callback
Incident Review & Technical Details
1. Attack Path
- Vulnerability Identification: The attacker identified a critical logic flaw in the
mint()function of theBitcoinReserveOfferingcontract. The implementation failed to properly handle the transfer callbacks inherent in the ERC-3525 standard. - Callback Triggering: When a user attempts to mint by transferring an entire ERC-3525 NFT, the contract executes
doSafeTransferIn. This operation triggers theonERC3525Received(oronERC721Receivedcompatible) callback. By this stage, the contract has already initiated the minting of BRO tokens to the caller. - Double Minting (Reentrancy): Because the
mint()function lacked rigorous state validation or a effective "Check-Effects-Interactions" pattern after the callback returned, it erroneously executed the minting logic a second time for the same asset. - Exponential Amplification: The attacker exploited this flaw by recursively executing a "Burn-to-Mint" cycle 22 times. This "snowball" effect inflated the initial 135 BRO tokens to a staggering 567 million.
- Profit Realization: The attacker subsequently swapped these artificially inflated BRO tokens through Solv’s liquidity/redemption pools, successfully extracting 38 SolvBTC (total value ~$2.73M).
2. Scope of Impact
The exploit resulted in the malicious draining of underlying assets within the BRO-SOLV-20MAY2026 contract, severely compromising the collateralization and reserve integrity of SolvBTC.
3. Official Determination
The technical audit confirms that the mint() function contained a logic vulnerability, specifically failing to implement a robust defense against callback-based reentrancy triggered by the safeTransfer mechanism.
4. Investigation Progress
- Attack Transaction Hash:
0x44e637c7d85190d376a52d89ca75f2d208089bb02b7c4708ad2aaae3a97a958d - Status: The victim contract addresses have been identified and flagged. The protocol team is urgently refactoring the minting logic and has temporarily suspended redemption services to prevent further slippage.
AUTOSEC.DEV Solution: Building a 360-Degree Defense
To counter hybrid attacks involving "Web2 Breach + Web3 Monetization," AUTOSEC.DEV provides comprehensive protection from code to personnel:
- Team OPSEC (Operations Security) Audit & Hardening: We provide enterprise-grade security training and configuration for core Web3 team members. We assist teams in deploying security hardware and risk detection software to increase the difficulty of social engineering attacks, while auditing password management protocols and device security policies.
- End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.
Service Content
- AUTOSEC.DEV - Security Awareness Training
- AUTOSEC.DEV - Incident Response Service
- AUTOSEC.DEV - Security Strategy & Planning