On July 2, 2024, the MRP token on BSC experienced an exploit. The WMRP wrapped-token contract was attacked via a reentrancy vulnerability, resulting in a loss of approximately 17 BNB. Let's examine the details of how this attack took place.

Overview

Attacker address:

https://bscscan.com/address/0x132d9bbdbe718365af6cc9e43bac109a9a53b138

Attack transaction: https://bscscan.com/tx/0x4353a6d37e95a0844f511f0ea9300ef3081130b24f0cf7a4bd1cae26ec393101

Vulnerable contract (WMRP): https://bscscan.com/address/0x35f5cef517317694df8c50c894080caa8c92af7d

Exploit analysis

From the attack transaction, we can see a flaw in which the WMRP contract triggered the attacker's fallback function while removing the liquidity (WMRP.BurnLP).

Check out the source code of the transfer function. The flow that allows the attacker to trigger the reentrancy attack seems to be in the _removeLiquidity function. In order to trigger this branch, the attacker needs to transfer the WMRP token to itself with a value of 0.

While hooking into the transfer function, the attacker could re-enter the receive function by transferring BNB back to the WMRP contract.

Through manipulation of the transfer function, the attacker managed to obtain more MPR tokens than allowed and drained all the BNB from the contract.

Conclusion

By sharing our insights on these vulnerabilities, we aim to help the web3 community identify and mitigate similar attack vectors in future projects, thereby enhancing the security and robustness of the DeFi ecosystem.