Bogged Finance Suffers $3M Flash Loan Exploit

  • The project’s development team discovered and mitigated the attack within 45 seconds, but the attacker was still able drain $3 million of the $6 million of liquidity.
  • The team is currently working on a plan to mitigate the situation, which uses the same exploit as the unknown attacker.
Software code on screen

Shutterstock

Bogged Finance has become the second Binance Smart Chain-based decentralized finance (DeFi) project to become the target of a flash loan exploit, Bogged said in a press release on 23 May.

According to the announcement, at around 14:30 UTC on Saturday an attacker executed a “complex flash-loan based attack” that manipulated the platform’s staking rewards and caused an inflation of supply. Through the exploit the attacked was able to drain $3 million of the platform’s native BOG token, the price of which has fallen dramatically since the incident. Bogged’s team said in the blog post:

“The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply — without the transaction fee being charged and burned — causing net inflation.”

While the Bogged developer team — some of which were in a Discord meeting during the incident — were able to discover and mitigate the exploit within 45 seconds, the attacker was still able to get away with half of the platform’s liquidity. In the time it took to patch the exploit, the attacker was able to make 11 transactions taking 11,358 BNB with him. The only thing that got in the way of the exploit was the platform’s transaction limit of 47,500 BOG.

Bogged Finance — which enables users to place limit orders on all BSC-based tokens — now plans to mitigate the situation by migrating the remaining liquidity to a new contract using the “same exploit” as the attacker to drain the Liquidity Pool. The team will then redeploy an update version of the contract to BSC, and after burning around 7.5 million tokens “airdrop the Liquidity Tokens back to their rightful owners”. The process is expected to take 24 hours to complete, with BOG having a much smaller circulating supply after it is finished. The team said:

“Not everyone will like this solution, but this will remove as much of the illegitimately obtained $BOG from circulation without affecting those who acted honestly during the attack.”

Bogged Finance’s exploit is the latest in a number of incidents targeting BSC-based DeFi projects. Less than a week ago, prominent DeFi protocol PancakeBunny also became the victim of a flash loan attack — with the hacker taking off with $200 million in crypto — but similarly to Bogged Finance, the platform was quick to come up with a recovery plan.

Discussion
Related Coverage
Flash Loan Exploit Drains Liquidity From Nirvana Finance
  • Hacker used a flash loan attack to manipulate and drain Nirvana’s liquidity pools, causing the protocol to lose $3.49 million in digital assets.
  • Shortly after the attack, which used a flash loan from Solend, both Nirvana’s native token ANA and NIRV stablecoin fell in price by over 80%.
July 28, 2022, 3:59 PM
hack

Shutterstock

Deus Finance Exploited for $13.4M in Flash Loan Attack
  • Blockchain security firm PeckShield noted the attacker used a $143 million flash loan to inflate the price of DEI, allowing him to steal $13.4 million from Deus Finance.
  • This is the second time in two months that a malicious entity had used a flash loan exploit to manipulate the price of digital assets on the DeFi platform.
Beanstalk Farms Loses $182M Following Exploit
  • A flash loan allowed the attacker to obtain enough Beanstalk governance tokens to pass two proposals, enabling him to drain the protocol’s funds.
  • The malicious entity was able to steal 24,830 ETH and 36 million BEAN tokens, which were then laundered through TornadoCash.