Another Binance Smart Chain Project Suffers an Attack

Another Binance Smart Chain Project Suffers an Attack

Bogged Finance, a project built on Binance Smart Chain (BSC), faced a malicious attack in which $3 million worth of funds was drained from its liquidity pool on PancakeSwap. The incident is the second flash loan attack taking place on BSC in the last week.

Bogged Finance Attacked

Bogged Finance, a trading platform built on Binance Smart Chain (BSC), has suffered an attack.

The team reported that an unknown attacker had successfully drained $3 million in liquidity over the weekend. This was done through a complex attack that leveraged a flash loan and a vulnerability in its smart contract code.

In a Medium blog post, the Bogged Finance team explained that the attacked exploited a bug in its smart contract that is linked to the platform’s fees that are given to liquidity providers as rewards.

Using a vulnerability, the attacker was able to artificially mint new tokens that produced a high rate of inflation. This led to a distribution of over 15 million BOG tokens to liquidity providers.

The inflated supply helped in executing a flash loan attack in which the attacker from able to drain funds from the BOG/BNB liquidity pool on PancakeSwap. The Bogged Finance team wrote:

“The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply—without the transaction fee being charged and burned—causing net inflation.”

Malicious actors have been known to use flash loans to borrow large amounts of funds so that they can artificially manipulate the price of a token, before returning the funds in the same transaction.

In the reports on the attack, the team claimed it was able to prevent the attacker from draining full liquidity by quickly turning off the transaction fee function.

Nevertheless, the attacker was able to get away with 11,358 Binance Coin (BNB), which equates to around $3 million of the $6 million available in the pool at the time of they attack. They did it all in only 45 seconds across 11 transactions.

Following the attack, the price of the BOG token collapsed from around $1.8 to almost zero ($0.0001).

The team said it removed all liquidity from the old contract and plans to migrate its contract to a new one to prevent a similar attack from happening in the future. The contract will be deployed to the following address. Meanwhile, the team has warned users of not purchasing the existing tokens. The team has also promised the newly deployed smart contract would burn off the extra supply of tokens artificially minted by the attacker. This would reinstate the supply of tokens before the attack.

Red Flags on Binance Smart Chain

With this, Bogged Finance joins a growing list of projects on BSC that have been exploited or suffered rug pulls.

On Thursday, Bunny Finance, a BSC yield aggregator, faced a similar flash loan attack that crashed the price of its native token by more than 96% and led to a loss of funds worth more than $45 million.

Other notable BSC projects that have suffered attacks this year include Uranium Finance, Spartan Protocol, Meerkat Finance, and bEarn. The attacks were collectively worth $122 million.

Exploits on BSC have increased in frequency as the total value locked (TVL) on the blockchain has grown to billions of dollars within the last six months.

Binance Smart Chain is an EVM-compatible chain that replicates many of the DeFi features found on Ethereum. It’s sometimes referred to as a “CeDeFi” network, meaning a centralized alternative to DeFi.

Soon after it was launched in Sep. 2020, BSC witnessed rapid growth and adoption. This was partly because of the low costs of trading and yield farming on the network relative to Ethereum, which is known for its exorbitant fees. However, after the recent spate of attacks, the blockchain is becoming better known for its high-risk ecosystem.

Source: CryptoBriefing

LEAVE A REPLY

Please enter your comment!
Please enter your name here