In March 2022, the BNB Chain yield protocol Paraluni lost approximately $1.7 million. Its deposit function accepted an unvalidated user-supplied token and lacked reentrancy protection; a fake token's transfer callback re-entered the deposit logic, minting excess shares the attacker redeemed.
What happened
Paraluni's depositByAddLiquidity-style path trusted caller-supplied token addresses and had no reentrancy guard. A malicious token re-entered mid-deposit, inflating the attacker's share balance, which was redeemed for real assets (~$1.7M).
Why it matters
Paraluni is the fake-token + reentrancy compound bug (Akropolis, Grim Finance, Orion Protocol) — two missing primitives (token allowlist + nonReentrant) that are individually survivable and jointly a complete drain. By March 2022 this exact compound had been demonstrated for over a year across multiple chains; Paraluni shipped it anyway. It is one of the catalogue's purest "the fix is two well-known one-liners, freely available, and skipped" data points.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-paraluni-hack-march-2022
- [02]rekt.newshttps://rekt.news/paraluni-rekt