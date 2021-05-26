Attacks on decentralized financial protocols (DeFi) have multiplied in recent months. The latest to fall victim is Bogged Finance.

In an autopsy published on May 23, security firm PeckShield detailed the attack that resulted in a malicious actor claiming $ 3.6 million.

Bogged Finance is a DeFi platform that allows users to research and order any token on Binance Smart Chain using a limit order platform that takes advantage of PancakeSwap’s liquidity.

In an economic attack similar to the one that PancakeBunny targeted last week, a hacker managed to inflate the balance of BOG tokens before selling them on the market for a juicy profit.

PeckShield explained that the incident was due to a flaw that allows the attacker to increase the balance through a self-transfer.

DeFi protocols under fire

The exploit stemmed from a flaw in the smart contract of tokens that is designed to be deflationary charging 5% of the transferred amount. Of that 5%, 1% is burned and 4% is taken as commission for the profits from staking.

The contract only charges 1% of the transferred amount but continues to inflate 4% of the staking profit. Taking advantage of this, the hacker performed multiple flash swaps in order to repeatedly perform auto-transfers to inflate the profits from staking.

Nine flash swaps, which are very similar to flash loans, were used to add liquidity to the wBNB / BOG pool. Each swap generated 47,770 BOG which consumed 88,159 BNB wrapped with 83,440 liquidity pool tokens minted.

These LP tokens were deposited in the BOG token contract for profit sharing. The attacker made 434 self-transfers for a total transfer amount of BOG 18.74 million, which increased the balance of BOG 151,000 due to the contract code failure. The attacker sold the BOGs on the market, repaid the flash loans, and made a profit of $ 3.6 million.

The protocol announced that it will migrate to a new contract and expects to burn 7.5 million BOG tokens in the process.

“We will then airdrop the liquidity tokens to their rightful owners and then we will return the $ BOG legitimately owned and purchased to their owners.”

The price of the BOG token plummets

Unsurprisingly, with around half of the protocol’s liquidity removed, its token’s price plummeted to zero on Sunday according to CoinGecko. Before the collapse, it was trading at about $ 2.

Bogged Finance has explained that they have withdrawn the remaining liquidity themselves to prepare for the migration to the new contract and the rebalancing of the offer.

