WMRP Reentrancy Double Dip

2. Key Background

RSunTokenLocker is a pooled token locker. It stores locks in a locks array and uses ownerToIndex only as a lookup helper. The contract does not segregate assets per lock; all deposited tokens sit in the locker’s ERC-20 balance.

Three protocol facts make this exploit deterministic:

• lockTokens(address tokenAdr, uint112 amount, uint48 duration, bool isVested, address owner_) is public, requires only the fixed 0.1 BNB fee, accepts arbitrary owner_, and does not reject duration = 0.
• For a non-vested lock, withdrawTokens(uint lockIndex) pays the full lock.amount once block.timestamp >= lock.endTime.
• PancakeSwap V2 flash swaps are permissionless, so any contract can borrow BUSD from pair 0x58f876857a02d6762e0101bb5c46a8c1ed44dc16 and repay it with fee in the callback.

Immediately before the exploit transaction, the relevant public state was already sufficient for an unprivileged attacker:

• RSunTokenLocker held 1525208669240080563214 BUSD.
• The PancakeSwap BUSD/WBNB pair held 4354725203957034555373327 BUSD and 6665034853082277169801 WBNB, enough liquidity to flash-swap the same BUSD amount.
• The public lock fee was 100000000000000000 wei.

3. Vulnerability Analysis & Root Cause Summary

The incident is an ATTACK-class ACT exploit against pooled-asset accounting. The bug is not in the flash-swap source and not in BUSD; it is inside RSunTokenLocker settlement logic.

The violated invariant is: once a non-vested lock has been fully redeemed, the locker must make that lock permanently non-withdrawable. In code terms, either the stored amount must become zero, the stored owner must no longer authorize the caller, or a consumed flag must be recorded before the transfer completes.

The vulnerable path is visible in the verified locker source excerpt:

function withdrawTokens(uint lockIndex) public {
    Lock memory lock = locks[lockIndex];
    require(lock.owner == msg.sender, "Only the owner can withdraw tokens");

    if (!lock.isVested) {
        require(block.timestamp >= lock.endTime, "Lock hasn't ended yet.");
    }

    uint timestampClamped = block.timestamp > lock.endTime ? lock.endTime : block.timestamp;
    uint amount = lock.isVested ? lock.amount * (timestampClamped - lock.lastWithdrawn) / lock.duration : lock.amount;

    if (lock.isVested && block.timestamp < lock.endTime) {
        locks[lockIndex].lastWithdrawn = uint48(block.timestamp);
    } else {
        removeLockOwnership(lockIndex);
    }

    require(IBEP20(lock.tokenAdr).transfer(msg.sender, amount), "Transfer failed");
}

function removeLockOwnership(uint lockIndex) internal {
    uint[] memory lockIdsOwner = ownerToIndex[msg.sender];
    ...
    ownerToIndex[msg.sender][index] = lockIdsOwner[lockIdsOwner.length - 1];
    ownerToIndex[msg.sender].pop();
}

That branch deletes only the helper index and leaves locks[lockIndex].owner, locks[lockIndex].amount, and the rest of the lock record intact. Because lockTokens also allows duration = 0, the attacker can create a non-vested lock that is immediately mature and drain it twice in one transaction. The locker’s pooled balance design makes the second withdrawal come from pre-existing contract funds, not from the attacker’s own deposited principal.

The exploit conditions are straightforward and public:

• the locker must hold a positive balance of some token;
• the attacker must source temporary capital in the same token;
• the attacker must pay the public 0.1 BNB fee and choose an attacker-controlled lock owner;
• for same-transaction execution, duration = 0 is sufficient.

The security principles violated are equally direct: one-time claims were not invalidated in persistent storage, auxiliary ownership indexes were used as if they were settlement state, and a user-controlled timing parameter that gates pooled-asset withdrawal was not validated.

4. Detailed Root Cause Analysis

The exploit starts from BNB Chain pre-state at block 86572244, the state immediately before the adversary transaction. At that point the locker already held 1525208669240080563214 BUSD, and the PancakeSwap pair had much more than that available for a callback-based flash swap. No privileged key, private orderflow, or attacker-owned legacy contract was required.

The first half of the bug is in lock creation. lockTokens stores:

lock.startTime = uint48(block.timestamp);
lock.duration = duration;
lock.endTime = lock.startTime + lock.duration;
lock.amount = uint112(amount);
lock.isVested = isVested;
lock.owner = owner_;

Because duration is caller-controlled and never constrained to be positive, a non-vested lock with duration = 0 is immediately redeemable at the same timestamp it is created. The exploit therefore does not need to wait across blocks.

The second half is the settlement bug in withdrawTokens. For non-vested locks, the payout is always the full lock.amount. When the lock is fully finished, the function does not mutate the stored lock at locks[lockIndex]; it only edits ownerToIndex[msg.sender]. The concrete breakpoint is the else { removeLockOwnership(lockIndex); } branch. That helper does not zero the amount, clear the owner, or set any “withdrawn” state. After one full payout, the same owner still satisfies the authorization check on the next call.

The seed transaction trace shows the exact on-chain realization:

0xd26bF360DF43C0C60f5Db2800BeD3A79b348BDA0::lockTokens{value: 100000000000000000}(
  0xe9e7CEA3DedcA5984780Bafc599bD69ADd087D56,
  1525208669240080563214,
  0,
  false,
  0x64E41Afc877613E0c19d34FA494a9506C9e5a8C3
)
0xd26bF360DF43C0C60f5Db2800BeD3A79b348BDA0::withdrawTokens(11)
emit Transfer(from: 0xd26b..., to: 0x64E41..., value: 1525208669240080563214)
0xd26bF360DF43C0C60f5Db2800BeD3A79b348BDA0::withdrawTokens(11)
emit Transfer(from: 0xd26b..., to: 0x64E41..., value: 1525208669240080563214)
emit Transfer(from: 0x64E41..., to: 0x58F876..., value: 1529031247358476755102)
emit Transfer(from: 0x64E41..., to: 0x30388E..., value: 1521386091121684371326)

This trace establishes the full causal chain:

1. The helper borrowed exactly the locker’s current BUSD balance from PancakeSwap.
2. The helper paid the public fee and created lock index 11 with duration = 0, isVested = false, and itself as owner.
3. The first withdrawTokens(11) returned the helper’s own deposited BUSD.
4. The second withdrawTokens(11) paid the same amount again because the lock record still authorized the helper and still stored the full amount.
5. The second payout came from the locker’s pre-existing pooled BUSD balance.
6. The helper repaid the flash swap plus fee and transferred the residue to the attacker EOA.

The balance diff independently confirms the economic effect:

{
  "locker_busd_delta": "-1525208669240080563214",
  "attacker_eoa_busd_delta": "1521386091121684371326",
  "pair_busd_delta": "3822578118396191888",
  "attacker_eoa_native_delta": "-101493023000000000"
}

The pre-state observations price the 0.101493023 BNB outlay at 66.312365205336909797610989572823819720657825962878 BUSD using the pre-transaction PancakeSwap spot ratio, leaving 1455.0737259163474615283890104271761802793421740371 BUSD of net profit in the report’s reference asset.

5. Adversary Flow Analysis

The adversary flow is a single transaction with one EOA and one freshly created helper contract.

Stage 1: Deploy attacker helper

• Chain: BNB Chain (56)
• Transaction: 0x1d1cd964222d07f8d0e0a007b71cc42d4aaac66fa0ad9ded21b1d46b6b2d193c
• EOA: 0x30388eacfe59f18e2d67a36a3a9064d7aaf702f0
• Created helper: 0x64e41afc877613e0c19d34fa494a9506c9e5a8c3

The seed trace shows the EOA creating the helper inside the transaction and forwarding the exact 0.1 BNB lock fee into the attack path.

Stage 2: Borrow BUSD and create a bogus lock

• Flash-swap source: PancakeSwap pair 0x58f876857a02d6762e0101bb5c46a8c1ed44dc16
• Borrowed amount: 1525208669240080563214 BUSD
• Victim call: lockTokens(BUSD, borrowAmount, 0, false, helper)

The attacker did not need a historical attacker contract or pre-seeded funds in BUSD. The only required principal was temporary, and the pair supplied it permissionlessly. The attacker-selected owner was the helper contract itself, ensuring that the same contract could execute both withdrawals.

Stage 3: Withdraw the same lock twice and settle

• First withdrawal: returns the just-deposited BUSD.
• Second withdrawal: drains the locker’s pre-existing BUSD.
• Flash-swap repayment: 1529031247358476755102 BUSD.
• Final transfer to attacker EOA: 1521386091121684371326 BUSD.

This is an ACT sequence because every ingredient is public and permissionless:

• public lock creation,
• public non-vested withdrawal,
• public PancakeSwap flash swap,
• attacker-controlled fresh helper deployment.

No access control, stolen private key, or attacker-only artifact explains the exploit.

6. Impact & Losses

The measured loss to the victim locker in the incident transaction was:

• BUSD: 1525208669240080563214 raw units (1525.208669240080563214 BUSD at 18 decimals)

The locker’s pre-existing BUSD balance was fully depleted to zero. The contract did retain the public 0.1 BNB lock fee, but that does not offset the principal loss. Because the accounting bug is token-agnostic and the locker uses pooled balances, any token balance resident in the contract was exposed to the same repeated-withdraw pattern.

The attacker’s realized outputs in the observed transaction were:

• 1521386091121684371326 BUSD to the attacker EOA after flash-swap settlement
• -101493023000000000 wei native delta for fee plus gas
• 1455.0737259163474615283890104271761802793421740371 BUSD net profit after valuing the BNB outlay at the pre-transaction spot price

7. References

1. Seed transaction metadata for 0x1d1cd964222d07f8d0e0a007b71cc42d4aaac66fa0ad9ded21b1d46b6b2d193c
2. Seed execution trace for the same transaction, showing helper creation, lockTokens, two withdrawTokens(11) calls, flash-swap repayment, and profit transfer
3. Seed balance diff showing the locker BUSD loss, attacker EOA BUSD gain, pair fee gain, and attacker native-token spend
4. Persisted pre-state observations for locker balance, pair liquidity, and the BUSD/WBNB spot ratio used to price the BNB outlay
5. Verified RSunTokenLocker source excerpt covering lockTokens, withdrawTokens, and removeLockOwnership
6. BscScan verified code page for 0xd26bf360df43c0c60f5db2800bed3a79b348bda0