Flash loan attacks on decentralized finance (DeFi) protocols have come thick and fast over the past few months. The latest to fall victim is Bogged Finance.
In a post mortem published on May 23, security firm PeckShield detailed the attack that resulted in a malicious actor making off with $3.6 million.
In an economic attack similar to the one that targeted PancakeBunny last week, a hacker managed to inflate the BOG token balance before selling them on the market for a tidy profit.
PeckShield elaborated that the incident was due to a bug that allows the attacker to increase the balance via self-transfer.
DeFi protocols under fire
The exploit stemmed from a bug in the token smart contract that is designed to be deflationary by charging 5% of the transferred amount. Out of that 5%, 1% is burned and 4% is taken as a fee for staking profits.
The contract only charges 1% of the transferred amount but still inflates the 4% as the staking profit. Taking advantage of this, the hacker carried out multiple flash swaps in order to repeatedly perform self-transfers to inflate the staking profits.
Nine flash-swaps, which are very similar to flash loans, were used to add liquidity into the wBNB/BOG pool. Each swap generated 47,770 BOG consuming 88,159 wrapped BNB with 83,440 liquidity pool tokens minted.
These LP tokens were deposited into the BOG token contract for profit sharing. The attacker performed 434 self-transfers with a total transfer amount of 18.74 million BOG, resulting in an increased balance of 151,000 BOG due to the contract code bug. The attacker sold the BOG on the market, repaid the flash loans, and netted a profit of $3.6 million.
The protocol announced that it will be migrating to a new contract and expects to burn 7.5 million BOG tokens in the process.
“We will then airdrop the Liquidity Tokens back to their rightful owners, and then return $BOG legitimately owned and purchased to their owners.”
BOG token price collapses
Unsurprisingly, with around half of the liquidity removed from the protocol, its token price plunged to zero on Sunday according to CoinGecko. Before the collapse, it was trading at around $2.
Bogged Finance has explained that it has removed the remaining liquidity itself in preparation for the migration to the new contract and supply rebalancing.