Started at May-22–2021 02:47:06 PM +UTC, Bogged Finance was exploited to inflate the BOG balance, which is immediately sold to gain about $3.6M. The incident was due to a bug that allows the attacker to increase the balance via self-transfer. While it appears to be a flashloan attack, it is a flashswap-assisted one. In the following, we elaborate the technical details.
This incident was due to a bug in the BOG token contract that is designed to be deflationary by charging 5% of the transferred amount. Specifically, among the 5% charge, 1% is burned and 4% is taken as a fee for staking profit. However, the token contract implementation only charges 1% of the transferred amount but still inflates the 4% as the staking profit. As a result, the attacker can take advantage of flashloans to significantly increase the staking amount and repeatedly perform self-transfers to claim the inflated staking profit. After that, the attacker immediately sells the inflated BOG for about $3.6M WBNB.
The Hack Walk-through
- Step 1: Take nine flash-swaps and add liquidity into the WBNB+BOG pool. Each flash-swap leads to 47,770 BOG and the entire process consumes 88,159.43 WBNB with 83,440.57 LP token minted.
- Step 2: Stake the minted 83,440.57 WBNB+BOG LP tokens into the BOG token contract for profit sharing.
- Step 3: Perform 434 self-transfers in the total transfer amount of 18.74M BOG, resulting in an increased balance of 151K BOG.
- Step 4: Sell the extra BOG to WBNB, and then to anyETH.
- Step 5: Remove the added liquidity in Step 1 and complete the flash-swaps.
The Stolen Funds
This incident leads to the inflated balance of 151K BOG which was then sold by the attacker for $3.6M profit. Note the attacker’s funds from the above exploitations were initially held in this wallet: 0x4622. We are actively monitoring this wallet for any movement.
PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.