Solv BRO Double-Mint Exploit

On March 22, 2026, the Bitcoin-focused reserve protocol Solv lost approximately $2.73 million when an attacker exploited a double-minting flaw in the Bitcoin Reserve Offering (BRO) vault contract. The attacker triggered the vulnerability 22 times, converting 135 BRO tokens into approximately 567 million BRO — then swapped these for approximately 38 SolvBTC (worth ~$2.73M at the 1:1 BTC exchange rate). Less than 10 users were affected; Solv committed to full compensation.

What happened

Solv Protocol offers Bitcoin-yield products through its SolvBTC wrapper and various structured vaults. The Bitcoin Reserve Offering (BRO) is a structured yield vault implemented using the ERC-3525 semi-fungible NFT standard — a relatively novel token standard that combines NFT identity with fungible-balance accounting.

The fatal flaw: the BitcoinReserveOffering contract contained a double-minting bug in its deposit handler for ERC-3525 NFTs. When a user deposited an ERC-3525 NFT, the contract issued excess BRO tokens beyond what the deposit's underlying value justified. Each deposit triggered the bug independently.

The attack:

1. Identified the double-minting condition in the BRO contract.
2. Triggered the deposit path 22 times with carefully-constructed ERC-3525 NFT inputs.
3. Each trigger converted a small input into a disproportionate BRO output — accumulating to a total of ~567 million BRO tokens from a starting position of ~135 BRO.
4. Swapped the excess BRO for SolvBTC through the pool's pricing logic, which valued BRO and SolvBTC at a 1:1 ratio relative to Bitcoin.
5. Walked with approximately 38 SolvBTC — worth approximately $2.73 million at the time.

Aftermath

• Solv publicly disclosed the incident quickly, emphasising that less than 10 users were impacted and the loss was contained to a single vault.
• The team committed to fully compensating affected parties from corporate reserves.
• Offered the attacker a 10% white-hat bounty for the return of the remaining funds.
• In May 2026, Solv announced it would shift $700M+ in BTC assets to Chainlink CCIP — a move framed in part as a response to the broader 2026 bridge-risk environment.

Why it matters

The Solv incident is one of the early cases highlighting ERC-3525 as a meaningful new vulnerability surface. The ERC-3525 standard combines NFT-style unique-ID tracking with ERC-20-style fungible balance accounting within each token — a design that's powerful for tokenised structured products but introduces complexity around how transfers, deposits, and balance reads interact.

The structural lessons:

1. Novel token standards inherit the audit-maturity of their ecosystem. ERC-20 has been audited thousands of times across thousands of protocols; ERC-3525 has been audited far fewer times, and audit firms have less collective experience with its edge cases.

2. Deposit handlers for novel token standards must be tested against adversarial inputs — including the same deposit triggered multiple times, deposits of "empty" tokens, deposits with crafted slot values, etc. The Solv BRO bug was reachable with a single carefully-constructed input.

3. Per-vault impact containment is increasingly the differentiator between "manageable incident" and "protocol-killing event." Solv's BRO loss affected one vault and less than 10 users; the broader Solv ecosystem and SolvBTC's $700M+ in TVL remained unaffected. The architectural choice to isolate vaults limited blast radius.

The subsequent CCIP migration announcement is also notable as part of the broader 2026 trend of major DeFi protocols moving away from bespoke bridge implementations in favour of standardised infrastructure with formal verification and operational maturity. The KelpDAO incident two months later validated the timing.