Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 037Reentrancy

BurgerSwap Fake-Token Reentrancy

BurgerSwap on BNB Chain didn't validate swap-path tokens, letting a fake token's transfer callback re-enter the pool mid-swap and drain $7.2M in reserves.

Date
Victim
BurgerSwap
Chain(s)
BNB Chain
Status
Funds Stolen

On May 28, 2021, the BNB Chain AMM BurgerSwap lost approximately $7.2 million in a flash-loan-funded reentrancy attack. BurgerSwap's swap routing did not validate the tokens in a user-supplied swap path, letting the attacker insert a malicious fake token whose transfer logic re-entered the pool mid-swap and repeatedly drained reserves.

What happened

BurgerSwap was a Uniswap-style AMM on BSC. Its swap routing accepted a user-supplied path of token addresses to trade through. The router did not check that the path tokens were legitimate — it simply executed transfers along the path.

The attack chained a fake token, a flash loan, and reentrancy:

  1. Deployed a fake token whose transfer/transferFrom contained a callback to attacker-controlled code.
  2. Flash-borrowed WBNB to fund the operation.
  3. Initiated a swap through a path including the fake token.
  4. When the router called the fake token's transfer function mid-swap, the callback re-entered BurgerSwap's swap logic before the first swap's accounting had settled.
  5. The reentrant calls extracted real reserves (WBNB, BURGER, and other tokens) against stale internal balances.
  6. Repeated the loop, then repaid the flash loan and laundered the proceeds.

Total drained: approximately $7.2M across multiple BurgerSwap pools.

Aftermath

  • BurgerSwap paused affected contracts and shipped patches adding token-path validation and reentrancy guards.
  • The protocol's standing on BSC was significantly damaged; it never recovered its pre-incident position.
  • No public recovery; funds were laundered through BSC mixing routes.

Why it matters

BurgerSwap is one of the early BSC reentrancy incidents in the explosive mid-2021 growth of Binance Smart Chain DeFi. It combined two of the most-repeated DeFi bug classes:

  1. Unvalidated user-supplied token paths — the Pickle Finance / Exactly Protocol "trusted address from untrusted caller" pattern.
  2. Missing reentrancy protection — the DAO / Cream lineage that the industry has been re-learning since 2016.

BSC's 2021 DeFi explosion produced a dense cluster of these incidents (Spartan Protocol, PancakeBunny, BurgerSwap, Belt Finance) within weeks of each other — because the chain's rapid growth attracted fast-shipping forks that hadn't internalised the security lessons Ethereum DeFi had already paid for. BurgerSwap is a representative entry in that wave: a new chain independently re-learning, at user expense, the exact vulnerabilities the older ecosystem had already catalogued.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-burgerswap-hack-may-2021
  2. [02]coindesk.comhttps://www.coindesk.com/markets/2021/05/28/burgerswap-hit-by-flash-loan-attack-netting-over-7m
  3. [03]peckshield.medium.comhttps://peckshield.medium.com/burgerswap-hack-all-roads-lead-to-reentrancy-c4f9bb4c3d6a

Related filings