Root cause of bnbs exploit is reentrance. “removeLiquidity” function has no reentrance check, and bnbs balance is updated after eth sent, this can be used for reentrance attack.
As you can see, “removeLiquidity” function is called in fallback function, and in each “removeLiquidity” function, he gets more and more bnbs tokens, as bnbs balance is not updated.
After that, he exchanged all bnbs tokens to WBNB, total loss is about $20k.
Leave a Reply