DeFi Flash Swap Attack Drains Bogged Finance of $3.6M

Share Article
In Brief
The Trust Project is an international consortium of news organizations building standards of transparency.

Flash loan attacks on decentralized finance (DeFi) protocols have come thick and fast over the past few months. The latest to fall victim is Bogged Finance.

Sponsored





Sponsored

In a post mortem published on May 23, security firm PeckShield detailed the attack that resulted in a malicious actor making off with $3.6 million.

Bogged Finance is a DeFi platform that allows users to research and place orders for any token on Binance Smart Chain using a limit order platform that takes advantage of PancakeSwap’s liquidity.

Sponsored



Sponsored

In an economic attack similar to the one that targeted PancakeBunny last week, a hacker managed to inflate the BOG token balance before selling them on the market for a tidy profit.

PeckShield elaborated that the incident was due to a bug that allows the attacker to increase the balance via self-transfer.  

DeFi protocols under fire

The exploit stemmed from a bug in the token smart contract that is designed to be deflationary by charging 5% of the transferred amount. Out of that 5%, 1% is burned and 4% is taken as a fee for staking profits.

The contract only charges 1% of the transferred amount but still inflates the 4% as the staking profit. Taking advantage of this, the hacker carried out multiple flash swaps in order to repeatedly perform self-transfers to inflate the staking profits.  

Nine flash-swaps, which are very similar to flash loans, were used to add liquidity into the wBNB/BOG pool. Each swap generated 47,770 BOG consuming 88,159 wrapped BNB with 83,440 liquidity pool tokens minted.

These LP tokens were deposited into the BOG token contract for profit sharing. The attacker performed 434 self-transfers with a total transfer amount of 18.74 million BOG, resulting in an increased balance of 151,000 BOG due to the contract code bug. The attacker sold the BOG on the market, repaid the flash loans, and netted a profit of $3.6 million.

The protocol announced that it will be migrating to a new contract and expects to burn 7.5 million BOG tokens in the process.

“We will then airdrop the Liquidity Tokens back to their rightful owners, and then return $BOG legitimately owned and purchased to their owners.”

BOG token price collapses

Unsurprisingly, with around half of the liquidity removed from the protocol, its token price plunged to zero on Sunday according to CoinGecko. Before the collapse, it was trading at around $2.

Bogged Finance has explained that it has removed the remaining liquidity itself in preparation for the migration to the new contract and supply rebalancing.

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Sponsored
Share Article

Martin has been covering the latest developments on cyber security and infotech for two decades. He has previous trading experience and has been actively covering the blockchain and crypto industry since 2017.

Follow Author

$200 reward waiting for you — Deposit, Trade, Follow and Claim today!

Discover

Limited offer! Learn to mine and trade crypto today for free

Go