BIZNESS hacked.

BIZNESS on base was hacked, root cause is reentrancy.

Locker contract has “splitLock” function that splits lock position.

In this function, “_feeHandler()” function is used for sending fees to treasury and remaining to user.

There’s no reentrancy check in “splitLock” function, and locked amount is decreased after “_feeHandler()” is called. This can be used for reentrancy attack. Hacker was able to call “withdrawLock()” function and get locked tokens as locked amount is not decreased when function is called.

Total loss is about $16k. Developers need to be care of reentrance.