Bogged Finance has become the second Binance Smart Chain-based decentralized finance (DeFi) project to become the target of a flash loan exploit, Bogged said in a press release on 23 May.
According to the announcement, at around 14:30 UTC on Saturday an attacker executed a “complex flash-loan based attack” that manipulated the platform’s staking rewards and caused an inflation of supply. Through the exploit the attacked was able to drain $3 million of the platform’s native BOG token, the price of which has fallen dramatically since the incident. Bogged’s team said in the blog post:
“The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply — without the transaction fee being charged and burned — causing net inflation.”
While the Bogged developer team — some of which were in a Discord meeting during the incident — were able to discover and mitigate the exploit within 45 seconds, the attacker was still able to get away with half of the platform’s liquidity. In the time it took to patch the exploit, the attacker was able to make 11 transactions taking 11,358 BNB with him. The only thing that got in the way of the exploit was the platform’s transaction limit of 47,500 BOG.
Bogged Finance — which enables users to place limit orders on all BSC-based tokens — now plans to mitigate the situation by migrating the remaining liquidity to a new contract using the “same exploit” as the attacker to drain the Liquidity Pool. The team will then redeploy an update version of the contract to BSC, and after burning around 7.5 million tokens “airdrop the Liquidity Tokens back to their rightful owners”. The process is expected to take 24 hours to complete, with BOG having a much smaller circulating supply after it is finished. The team said:
“Not everyone will like this solution, but this will remove as much of the illegitimately obtained $BOG from circulation without affecting those who acted honestly during the attack.”
Bogged Finance’s exploit is the latest in a number of incidents targeting BSC-based DeFi projects. Less than a week ago, prominent DeFi protocol PancakeBunny also became the victim of a flash loan attack — with the hacker taking off with $200 million in crypto — but similarly to Bogged Finance, the platform was quick to come up with a recovery plan.