Binance Smart Chain’s Bogged Finance Suffers a $3M Flash Loan Attack

Binance Smart Chain's Bogged Finance Suffers a $3M Flash Loan Attack
Binance Smart Chain's Bogged Finance Suffers a $3M Flash Loan Attack

Binance Smart Chain’s decentralized financial ecosystem had another flash loan attack within a week of the PancakeBunny attack. A new attack caused the DeFi platform Bogged Finance to lose $3 million, which is half of its total liquidity. The team confirmed the attack on Sunday and warned users not to buy their native tokens until the issue is resolved.

Bogged Finance Losses $3M to Hackers

Since an online meeting was held at the beginning of the attack, the development team identified and mitigated the exploit within 45 seconds (i.e. 15 blocks). The perpetrator was still able to run out with $3 million of the $6 million in circulating funds. After the attack, the BOG token price fell from around $1.8 to $0.0003.

With Bogged Finance, users can place limit orders for all tokens based on the Binance Smart Chain. The team shared details of the attack in a medium-sized post:

“The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply — without the transaction fee being charged and burned — causing net inflation.”

According to the team, the transaction limit is 47,500 BOG, which slows down the attacker’s automated process and can reduce losses. In the 45 seconds, before the lead developer resolved the vulnerability by disabling transaction fees, the hacker made a total of 11 transactions and stole 11,358 Binance Coins (BNB).

The team migrates liquidity to the new contract by “using the same exploitation method as the attacker.” The updated version of the contract will be made available in Binance Smart Chain.

After burning around 7.5 million previously minted tokens during the migration process, Bogged Finance will dump the liquid tokens of the holders of airdrops. “If you paid for your BOG, the platform’s native token, it is safe,” according to yesterday’s announcement, the team expects the circulating supply to be reduced after the entire process, which will take 48 hours.

Last week, the famous BSC-based DeFi protocol PancakeBunny was attacked in the same way. Hackers looted $45 million in cryptocurrency by exploiting vulnerabilities in the flash credit attack.