Binance Smart Chain’s decentralized finance ecosystem saw a second flash loan exploit in a week after PancakeBunny. A new attack drained $3 million, or half the total liquidity, from DeFi platform Bogged Finance. The team confirmed the attack on Sunday, warning users not to buy its native token until the issue is solved.
The developer team identified and mitigated the exploit within 45 seconds, or 15 blocks, thanks to an online meeting held when the attack started. Still, the culprit was able to drain $3 million of the $6 million of liquidity. The BOG token price crashed from around $1.8 to $0.0003 following the attack.
Bogged Finance enables users to place a limit order on any Binance Smart Chain-based tokens. The team shared details of the attack in a Medium post:
“The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply — without the transaction fee being charged and burned — causing net inflation.”
According to the team, the transaction limit of 47,500 BOG has slowed the attacker’s automated process and potentially mitigated the damage. Within 45 seconds before the lead developer patched the exploit by disabling the transaction fee, the hacker was able to make a total of 11 transactions and made off 11,358 Binance Coin (BNB).
The team is working on migrating the liquidity to a new contract by “using the same exploit the attacker used.” It will deploy an updated version of the contract to Binance Smart Chain.
After burning about 7.5 million previously minted tokens during the migration, Bogged Finance will airdrop the holders’ liquidity tokens. “If you paid for your BOG, the platform’s native token, it is safe,” the announcement reassures. The team expects a smaller circulating supply after the whole process, which will take 48 hours, according to yesterday’s announcement.
Last week, prominent BSC-based DeFi protocol PancakeBunny suffered an attack in the same manner. Hackers made off with more than $200 million in crypto by utilizing an exploit in a flash loan attack.