Another day, another DeFi, another hack.
A smart contract bug saw Binance Smart Chain-based ‘Bogged Finance’ get drained of $3 million over the weekend, data from multiple sources show. The protocol’s BOG token plunged 98% in response.
“We are aware of the flash loan attack against BOG and are as devastated as you. We believe we have prevented further theft against more of our liquidity,”the developers wrote on Twitter on Saturday, shortly after the hack.
“RELAUNCHING SOON. Do not buy $BOG at this time,” the project’s Twitter bio reads.
A bogged DeFi hack
Decentralized finance (DeFi) hacks are overwhelmingly common in the crypto space. The technology is both new and highly experimental, and the lack of adequate talent in managing such complex infrastructure causes several small players to get hacked
And while the players are small and unknown, the losses are big and drastic—enough to reach global mainstream headlines if they were to happen to a traditional firm.
Bogged fell victim to this complexity over the weekend. The protocol allows users to research and place ‘limit orders’ for any token on Binance Smart Chain and is part of the broader ‘BogTools’ kit for other DeFi services and operations.
As explained by the Bogged team in an official release, the attacker utilized a “complex flash-loan-based attack” that targeted how the protocol worked. “Flash Loans,” for the uninitiated, are uncollateralized loan options that allow users to borrow funds without collateral instantly provided that the liquidity is returned to the pool within one transaction block.
“The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply,”the team explained.
The Bogged team was able to spot and mitigate the attack within a claimed 45 seconds. However, the damage was already done, and the hacker made away with nearly $3 million.
The plan ahead
In the release, the Bogged team said it would remove the current liquidity from the platform and migrate it to a new contract. “We are draining the Liquidity Pool of all the funds, using the same exploit the attacker used,” the team said.
Users and token holders, in addition, will be compensated. “We’re hoping to burn approximately 7.5m tokens in this migration, but the exact number may change. We will then airdrop the Liquidity Tokens back to their rightful owners, and then return $BOG legitimately owned and purchased to their owners,” the team stated.
Flash Loan attacks have previously occurred in tens of millions of dollars in losses for token holders and liquidity providers. Most offer compensation plans to keep their repute intact, but it seldom drives home the fact that most DeFi took remain highly risky and experimental, and betting more than one can afford to lose is hardly a prudent choice.