The ERC-3525 Callback Trap: How Solv Protocol's Double-Mint Bug Turned 135 Tokens Into 567 Million

On March 5, 2026, an attacker turned 135 BRO tokens into 567 million — then drained $2.7 million in SolvBTC from Solv Protocol's BitcoinReserveOffering vault. The weapon: a callback-driven double-mint vulnerability hiding in the intersection of ERC-3525 Semi-Fungible Tokens and ERC-721's onERC721Received hook. This wasn't a novel attack class. It was reentrancy wearing a new costume. And it slipped past audits because the dangerous interaction wasn't in a single contract — it lived in the gap between two token standards. The Architecture That Broke ERC-3525 is a Semi-Fungible Token standard built on top of ERC-721. Every ERC-3525 token is also an ERC-721 token, which means safe transfers trigger the onERC721Received() callback on the receiving contract. This is by design — it's how smart contracts confirm they can handle incoming NFTs. Solv Protocol's BRO vault accepted ERC-3525 deposits. The mint flow looked something like this: User calls mint(tokenId, amount) └─> Contract calls d