A publicly-available token burn function in the contract allowed attackers to manipulate the protocol, some said.