3 min read

Bogged Finance Hacked for $3.5M

Bogged Finance Hacked for $3.5M

May-22-2021 02:47:06 PM +UTC, BoggedFinance was hacked for ~$3.5M. This was due to the bug in the deflationary logic of the token. Bog Token is designed to be deflationary. 5% is charged with each transaction, 1% burned, and 4% going to the staking profit. Issues were in the _txBurn() method, where only 1% were charged from the account instead of 5%, but 4% was still calculated towards staking profits.

An attacker saw that, and he used flashswaps to generate LP Tokens later staked to BoggedFinance. Used many self-transfers to exploit the bug in the deflationary logic and inflate staking profits.

The hack

Following analysis was done by Peckshield

  • Step 1: Take nine flash-swaps and add liquidity into the WBNB+BOG pool. Each flash-swap leads to 47,770 BOG and the entire process consumes 88,159.43 WBNB with 83,440.57 LP token minted.
  • Step 2: Stake the minted 83,440.57 WBNB+BOG LP tokens into the BOG token contract for profit sharing.
  • Step 3: Perform 434 self-transfers in the total transfer amount of 18.74M BOG, resulting in an increased balance of 151K BOG.
  • Step 4: Sell the extra BOG to WBNB, and then to anySwap.
  • Step 5: Remove the added liquidity in Step 1 and complete the flash-swaps.

11378 BNBs went through 1inch Router to change that to ETH. ~1505 ETH were transferred to Ethereum using Anyswap.
An Attacker tried to move 100ETH through Tornado cash but the 1st transaction failed.

More info here: https://etherscan.io/address/0x4622A1f3d05DcF5A0589c458136C231009B6A207

It seems like every hack is happening on BSC, and it’s true. The most devastating hacks in recent months happened on that chain. I don’t have an exact reason why, but I have some assumptions I spoke about in the previous post. Read “Binance Smart Chain DeFi Hacks”

$232M lost due to hacks in DeFi alone
I didn’t want to write another post like this, but at 10:36:20 AM +UTC, May 16,2021, Bearn.fi was exploited, and $11M of funds was stolen from the pool. AsPeckshield reports: > The incident was due to a bug in its internal withdraw logic in inconsistentlyreading the same input amount but with di…

We're in very interesting times of DeFi development. There are reputable projects many people trust, and which code is battle tested. There are copy-pasted projects that want to take a bite of $100B of TVL and these kind of projects are rushed to the production and what we're witnessing are products tested on the main network. Hackers are only waiting for such projects and they're ready to exploit them.

We've lost around $370M this year alone according to FrankResearcher.

We need to focus more on the stability and security of our products than an idea of quickly earned 💰  because we want to beat the market.

Before investing any money, verify the team, project and security. Do your own due diligence. Stay Safe 🦾