The Binance Smart Chain (BSC) is becoming more vulnerable to flash loan attacks on the DeFi protocol running over the platform. On Saturday, May 22, BSC faced a second such attack in a week’s time with the victim being the Defi protocol Bogged Finance (BOG). Earlier this week, a similar incident was reported for BSC-based Pancake Bunny (BUNNY).
The Bogged Finance (BOG) token price crashed 98% dropping from $8.6 all the way to hitting an intraday low of $0.29. However, the BOG token price has pulled back from the low and is currently trading at $1.95 with a market cap of $4.5 billion.
Blockchain security and data analytics firm PeckShield recently reported the attack earlier today. As per their root cause analysis, The Bogged Finance Defi protocol was exploited by attackers while inflating the BOG balance. The attackers then minted a massive $3.6 million in profits while liquidating the BOG tokens. The analysis noted:
“The incident was due to a bug that allows the attacker to increase the balance via self-transfer. While it appears to be a flashloan attack, it is a flashswap-assisted one”.
Bug In BOG Token Contract
As reported by PeckShield, the incident happened through the exploitation of a bug in the BOG token contract. The contract in reality has been designed to be deflationary in nature by charging 5% of the transferred amount. Of this 5%, 1% is burned and the remaining 4% is taken as a fee for staking charges.
At the same time, the token contract implementation only charges 1% of the transferred amount but still inflates the 4% as the staking profit. The blog post notes:
“As a result, the attacker can take advantage of flashloans to significantly increase the staking amount and repeatedly perform self-transfers to claim the inflated staking profit. After that, the attacker immediately sells the inflated BOG for about $3.6M WBNB”.