May-22-2021 02:47:06 PM +UTC, BoggedFinance was hacked for ~$3.5M. This was due to the bug in the deflationary logic of the token. Bog Token is designed to be deflationary. 5% is charged with each transaction, 1% burned, and 4% going to the staking profit. Issues were in the
_txBurn() method, where only 1% were charged from the account instead of 5%, but 4% was still calculated towards staking profits.
An attacker saw that, and he used flashswaps to generate LP Tokens later staked to BoggedFinance. Used many self-transfers to exploit the bug in the deflationary logic and inflate staking profits.
Following analysis was done by Peckshield
- Step 1: Take nine flash-swaps and add liquidity into the WBNB+BOG pool. Each flash-swap leads to 47,770 BOG and the entire process consumes 88,159.43 WBNB with 83,440.57 LP token minted.
- Step 2: Stake the minted 83,440.57 WBNB+BOG LP tokens into the BOG token contract for profit sharing.
- Step 3: Perform 434 self-transfers in the total transfer amount of 18.74M BOG, resulting in an increased balance of 151K BOG.
- Step 4: Sell the extra BOG to WBNB, and then to anySwap.
- Step 5: Remove the added liquidity in Step 1 and complete the flash-swaps.
11378 BNBs went through 1inch Router to change that to ETH. ~1505 ETH were transferred to Ethereum using Anyswap.
An Attacker tried to move 100ETH through Tornado cash but the 1st transaction failed.
It seems like every hack is happening on BSC, and it’s true. The most devastating hacks in recent months happened on that chain. I don’t have an exact reason why, but I have some assumptions I spoke about in the previous post. Read “Binance Smart Chain DeFi Hacks”
We're in very interesting times of DeFi development. There are reputable projects many people trust, and which code is battle tested. There are copy-pasted projects that want to take a bite of $100B of TVL and these kind of projects are rushed to the production and what we're witnessing are products tested on the main network. Hackers are only waiting for such projects and they're ready to exploit them.
We've lost around $370M this year alone according to FrankResearcher.
We need to focus more on the stability and security of our products than an idea of quickly earned 💰 because we want to beat the market.
Before investing any money, verify the team, project and security. Do your own due diligence. Stay Safe 🦾