Key Takeaways
- Bogged Finance reported that an unknown attacker successfully drained $3 million from its liquidity pools.
- The attack used a flash loan to exploit a code vulnerability.
- The rising number of attacks on Binance Smart Chain projects has created major security concerns for the blockchain.
Bogged Finance, a project built on Binance Smart Chain (BSC), faced a malicious attack in which $3 million worth of funds was drained from its liquidity pool. The incident is the second flash loan attack taking place on BSC in the last week.
Bogged Finance Attacked
Bogged Finance, a trading platform built on Binance Smart Chain (BSC), has suffered an attack.
The team reported that an unknown attacker had successfully drained $3 million in liquidity over the weekend. This was done through a complex attack that leveraged a flash loan and a vulnerability in the platform’s code.
We are aware of the flash loan attack against BOG and are as devastated as you. We believe we have prevented further theft against more of our liquidity.
We will make further announcements in the coming hours and days.
— BogTools – Powering DeFi on #BSC. (@bogtools) May 22, 2021
In a Medium blog post, the Bogged Finance team explained that the attacked exploited a bug in its smart contract that is linked to the platform’s fees that are given to liquidity providers as rewards.
Using a vulnerability, the attacker was able to artificially mint new tokens that produced a high rate of inflation. This led to a distribution of over 15 million BOG tokens to liquidity providers.
The inflated supply helped in executing a flash loan attack in which the attacker from able to drain funds from the BOG/BNB liquidity pool. The Bogged Finance team wrote:
“The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply—without the transaction fee being charged and burned—causing net inflation.”
Malicious actors have been known to use flash loans to borrow large amounts of funds so that they can artificially manipulate the price of a token, before returning the funds in the same transaction.
In the reports on the attack, the team claimed it was able to prevent the attacker from draining full liquidity by quickly turning off the transaction fee function.
Nevertheless, the hacker was able to get away with 11,358 Binance Coin (BNB), which equates to around $3 million of the $6 million available in the pool at the time of they attack. They did it all in only 45 seconds across 11 transactions.
Following the attack, the price of the BOG token collapsed from around $1.8 to almost zero ($0.0001).
Red Flags on Binance Smart Chain
With this, Bogged Finance joins a growing list of projects on BSC that have been exploited or suffered rug pulls.
On Thursday, Bunny Finance, a BSC yield aggregator, faced a similar flash loan attack that crashed the price of its native token by more than 96% and led to a loss of funds worth more than $45 million.
Other notable BSC projects that have suffered attacks this year include Uranium Finance, Spartan Protocol, Meerkat Finance, and bEarn. The attacks were collectively worth $122 million.
Hacks on BSC have increased in frequency as the total value locked (TVL) on the blockchain has grown to billions of dollars within the last six months.
Binance Smart Chain is an EVM-compatible chain that replicates many of the DeFi features found on Ethereum. It’s sometimes referred to as a “CeDeFi” network, meaning a centralized alternative to DeFi.
Soon after it was launched in Sep. 2020, BSC witnessed rapid growth and adoption. This was partly because of the low costs of trading and yield farming on the network relative to Ethereum, which is known for its exorbitant fees. However, after the recent spate of attacks, the blockchain is becoming better known for its high-risk ecosystem.
