Solv Protocol, the on-chain Bitcoin reserve platform holding approximately 24,226 BTC valued at over $1.7 billion, confirmed on March 6, 2026 that one of its structured yield vaults had been exploited for roughly $2.7 million. The breach targeted a Bitcoin Reserve Offering (BRO) vault on the BNB Chain and represents the latest in a growing wave of decentralised finance security incidents in early 2026.
TL;DR
- Solv Protocol lost approximately $2.7 million worth of SolvBTC from a single BRO vault on BNB Chain
- Attacker exploited a reentrancy vulnerability in the BitcoinReserveOffering contract, triggering a double minting flaw 22 times
- The attacker inflated 135 BRO tokens into roughly 567 million BRO tokens, then swapped the position for around 38 SolvBTC
- Fewer than 10 users were affected; all other vaults remain secure
- Solv is working with Hypernative Labs, SlowMist, and CertiK to investigate
- Bitcoin traded at approximately $68,136 and Ethereum at $1,979 at the time of the exploit
How the Attack Unfolded
According to security researchers, the attacker identified and exploited a reentrancy vulnerability within one of Solv Protocol’s BitcoinReserveOffering smart contracts. Reentrancy attacks are a well-known class of exploits where an attacker makes repeated calls to a contract before the contract has finished updating its internal balances, allowing the attacker to withdraw more funds than they are entitled to.
An automated monitoring bot operated by security firm Decurity detected that the exploiter triggered the double minting flaw 22 separate times. Through these repeated transactions, the attacker managed to inflate an initial holding of just 135 BRO tokens into approximately 567 million BRO tokens. The attacker then swapped this massively inflated position for around 38 SolvBTC, which was valued at approximately $2.7 million at the time of the exploit.
Pseudonymous blockchain researcher Pyro confirmed the incident as a reentrancy attack, noting that variants of this technique have been responsible for multiple high-profile DeFi breaches over the past several years. The exploit was contained to a single vault and did not affect the broader Solv Protocol infrastructure.
Solv Protocol’s Response
Solv Protocol confirmed the incident in an update posted on social media, stating that all other vaults and user funds remain secure and unaffected. The team immediately paused the affected vault components and engaged multiple blockchain security firms, including Hypernative Labs, SlowMist, and CertiK, to assist with the investigation.
Solv also announced it would fully cover the losses sustained by the affected users, fewer than 10 in total. In an effort to recover the stolen assets, the protocol offered the exploiter a 10 percent white hat bounty if the funds are returned. Solv published an Ethereum wallet address to facilitate direct communication with the attacker, though no response had been recorded at the time of reporting.
The Broader DeFi Security Landscape
The Solv Protocol exploit is the latest reminder that DeFi security remains a pressing concern. In 2025, more than $3.4 billion was stolen across the decentralised finance sector. While the opening months of 2026 have not seen the same scale of mega hacks, a series of focused breaches has kept security concerns firmly in view.
Across January and February 2026, the crypto and DeFi sectors recorded approximately $112.5 million in losses across 31 incidents. March 2026 saw total losses surge to approximately $178 million, driven largely by a stablecoin minting exploit at Resolv Labs that resulted in around $80 million in losses, a major address poisoning attack that drained $24 million from a whale wallet, and the Solv Protocol vault exploit.
Earlier in the same week as the Solv incident, Curve Finance’s sDOLA LlamaLend market was exploited through a vulnerability tied to its price oracle configuration, allowing an attacker to earn roughly $240,000 through flash loan-driven liquidations. These incidents highlight that even established protocols with significant total value locked remain vulnerable to both novel and well-known attack vectors.
Reentrancy Attacks: A Persistent Threat
Despite being one of the oldest and most well-documented attack vectors in smart contract security, reentrancy exploits continue to plague DeFi protocols. The original DAO hack of 2016, which led to the Ethereum hard fork, was a reentrancy attack. Nearly a decade later, the same fundamental vulnerability pattern — where a contract’s state is not properly updated before external calls are made — continues to result in multi-million dollar losses.
Security analysts note that as protocols grow more complex, with layered vault structures and cross-chain interactions, the surface area for reentrancy vulnerabilities increases. Structured yield products like Solv’s Bitcoin Reserve Offerings, which package BTC exposure into vault-based investment strategies, introduce additional layers of contract logic that must be rigorously audited.
Why This Matters
The Solv Protocol exploit underscores a critical tension in the DeFi ecosystem: the push to create increasingly sophisticated Bitcoin-based financial products must be matched by equally rigorous security practices. Solv Protocol, which describes itself as the largest on-chain Bitcoin reserve with over $508 million in TVL across its SolvBTC-related products, handles a significant amount of user capital. While the team’s swift response, full user reimbursement, and engagement of top security firms represent best practices in incident management, the fact that a classic reentrancy vulnerability reached production in a protocol of this scale raises questions about the adequacy of pre-deployment auditing processes.
For users, the incident serves as a reminder that even protocols with substantial TVL and established reputations carry smart contract risk. Diversifying across multiple protocols, staying informed about security incidents, and understanding the specific risks of vault-based products remain essential practices for anyone participating in DeFi.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
It’s wild that reentrancy attacks are still catching protocols off guard in 2026. This is basically DeFi security 101, yet $2.7M is gone just like that. Definitely sticking to cold storage for my BTC reserves until these smart contract audits start meaning something again.
reentrancy in 2026 is embarrassing. this is literally chapter 1 of every smart contract security guide since 2016
inflating 135 BRO tokens into 567 million through reentrancy is laughably basic. the exploit happened 22 times before anyone noticed. where was the real-time monitoring?
Really gutted for the Solv community. I was actually looking into their Bitcoin Reserve offering last week because the yield seemed solid, but this is exactly why we can’t have nice things in crypto. Hope the team can recover the funds or has a solid insurance backstop for the affected users.
fewer than 10 users affected is the only silver lining here. could have been way worse for a protocol holding 24K BTC
fewer than 10 users affected is the only reason this isnt a bigger story. 24K BTC under management and a $2.7M exploit on one vault is survivable but the reputational damage is real
of course it happened on BNB chain. that ecosystem has a security track record that would make ethereum blush for all the wrong reasons