How Was BRA Token Exploited?

3 min read

A logical flaw in the BRA token contract allowed a hacker to be profited by $225,000.


On January 10, 2023, the BRA token was exploited, in which the hacker was able to steal funds worth 819 $WBNB, roughly amounting to $225,000.

Introduction to BRA#

BRA is a token on BSC Chain, available on trading at PancakeSwap.

Vulnerability Assessment#

The root cause of the vulnerability is due to the existence of a logical flaw in the BRA contract, wherein the transfer process generated rewards if the caller or receiver were a pair.


Step 1:

Let's take a close took at one of the attack transactions executed by the exploiter.

Step 2:

The perpetrator initially took a flash loan of 1,400 $WBNB, before swapping 1,000 $WBNB for 10.5K $BRA tokens.

Step 3:

The acquired $BRA tokens were transferred to the PancakeSwap pair.

Step 4:

They then triggered the skim function, which in turn called the transfer function of the BRA contract, in order to collect rewards.

BRA Token Contract transfer functionality

Step 5:

Here, the attacker specified pair as the recipient address, and $BRA revert to pair, leading to a rise of $BRA amount after a single skim.

Step 6:

After repeating the call to the skim function roughly 101 times, the $BRA balance of the contract pair had significantly increased.

Step 7:

The attacker then exchanged back 1.675K $WBNB tokens, and repaid the flash loan amount of 1.4K $WBNB tokens.

Step 8:

675 $WBNB tokens in proceeds from the initial attack transactions were sent to the exploiter's address.

Fund flow during BRA exploit. Courtesy of BlockSec

Step 9:

The attacker then carried out a second attack transaction from which he stole funds worth 144 $WBNB tokens.

Step 10:

The exploiter finally transferred 819 $WBNB in total earnings to this address.


The online presence of the team affiliated with BRA tokens is unknown; hence, there is no official acknowledgement of the incident. The price of BRA tokens decreased by 98% of their value.


Numerous attacks in the DeFi ecosystem appear to be coordinated by the team or team members to route revenue for personal gain. It is possible, given the lack of a social profile and the incident response and recovery plan, that the event was pre-planned or arranged by team members. Users should always verify the legitimacy of a team and its tokens before investing in them.

In this context, Neptune Mutual emerges as a potential solution that could have significantly mitigated the aftermath of this breach. By providing a dedicated cover pool for projects like the BRA token, Neptune Mutual offers an avenue for users to safeguard their investments against smart contract vulnerabilities.

Neptune Mutual's parametric cover policies, specifically tailored to address smart contract vulnerabilities like the one exploited in the BRA token case, would have played a vital role in reducing the impact of this attack. Through parametric policies that don't require exhaustive loss evidence, users could have gained swift access to payouts as soon as the incident was addressed through the governance system.

Neptune Mutual's comprehensive security evaluation, encompassing aspects such as DNS and web-based security, intrusion detection and prevention, and both frontend and backend security, further underscores its commitment to fortifying the DeFi landscape against potential threats. While it may not be possible to prevent every hack, having a reliable safety net like Neptune Mutual's insurance can substantially minimize the fallout and financial losses associated with such incidents.

Reference Source: BlockSec