Bogged Finance Flash Swap attack: attacker gets $3.6m, BOG price drops 80%
Hi there students,
It seems we have an attack everyday! Yesterday, Bogged Finance was attacked by a “hacker” who used flash swaps on PancakeSwap to inflate his BOG count and dump it on the market. This resulted in a price drop for BOG from ~$9/BOG to ~$0.1/BOG (which now recovered to ~2$/BOG), and a net profit for the attacker of $3.6m. Let’s see in detail what happened.
- What is Bogged Finance?
Bogged Finance is a BSC project aiming to build the next generation of infrastructure and utilities on the mainnet. They are building Limit orders for PancakeSwap, Smart Oracles and even have a sniper that you can use as a BOG holder. Sniping means using a bot to buy early tokens as soon as they launch, I will make a lesson about it at a later stage.
The BOG token is the token that fuels the various Bogtools mentioned above. And the BOG token had a interesting mechanism: every transaction is taxed, and the tax is redistributed to LP stakers. This is the mechanism that the attacker exploited.
2. How did they do it?
Step 1: They took 10 Flash Swaps (Kinda like Flash loan, but with the swap leg included) from PancakeSwap.
Each swap was for 47,770 BOG from BNB. So in total, they had 477,700 BOG. This spiked the BOG price to ~$27/BOG
Step 2: They provided 90% of their BOG to the LP Pool with BNB.
So they provided:
- 429,930 BOG
- ~$13m worth of WBNB to the BOG/BNB LP Pool
Step 3: They staked their LP token received from PancakeSwape to receive the profit share for the staking pools.
From the website we can see that there are 1.9% fees on each transactions that rewards LPs:
However, this seems to be outdated, as from the token’s source code we can see this:
uint256 _burnRate = 50; // 5.0% of tx’s to be split between burn/distribute
uint256 _distributeRatio = 5; // 1:5 ratio of burn:distribute
uint256 _totalBurnt;
So it seems that the tax rate is 5.0%, of which 1% is burned and 4% is distrbuted to stakers.
Let’s see the burn function now:
function _txBurn(address account, uint256 txAmount) internal returns (uint256) {
uint256 toBurn = txAmount.mul(_burnRate).div(1000); // calculate amount to burn
_distribute(account, toBurn.mul(_distributeRatio-1).div(_distributeRatio));
_burn(account, toBurn.div(_distributeRatio));
return txAmount.sub(toBurn); // return amount left after burn
}
So here they use calculate the amount to burn using the burnRate (5%). Then they distribute 4% (5*(5–1)/5).
And then comes the flaw in the logic, they burn, the burnRate they already calculated (5%), divided by the distributeRatio (5%) which gives 1%. While you could say duh, they are supposed to distribute 4% and burn 1%, for a total of 5% so it’s right? Well not exactly, they are supposed to burn 5%, and mint 4% to distribute. In this case, they are taxing 1% and minting 4% of the transaction, leading to a hyperinflation. The attacker could do self transfers where we would pay 1% of tax, but get 4% on their staking. And that’s exactly what they did.
Step 4: Self transfers
Remember that the attacker used 90% of their flash swaps for the LP tokens?
Well with the remaining 10%, the attacker did a whooping 400 self-transfers to earn staking rewards. So for each transactions, the attacker would have lost 1% of their initial BOGs of 46,862. But theirstaking rewards would have been 4% of the initial BOGs. So if we were to calculate:
The attacker minted 184,083 BOGs, and had 841 BOGs left from their capital. Now remember, they needs to payback their flash swap, so they need 47,770. So their net gains are: ~140k BOGs.
Step 5: Remove the liquidities and complete the flash swaps:
This is self explanatory isn’t it? They need to complete the swap for the flash swap to be approved (like flash loans). So they unstaked their LP tokens.
Step 6: Dump the 140k BOGs earned
At the inflated price that they made by pumping it with the PancakeSwap flash swaps, the attacker managed to sell his BOGs for ~$3.5m, They seem to have now swapped their BOGs into anyETH.
3. Consequences for Bogged Finance: an inflated tokens supply
This is an interesting case for flash loan/swap attacks. Because of the fallacy in the mint function benefitting all LP stakers, basically not only the attacker benefitted from it, but all stakers got a huge amount of minted BOGs as their rewards. This is the consequence of having a redistribution of tax in the tokenomics that is really interesting: Now there is a discrepancy between holders that have been LP staking and those who didn’t (and there could be numerous reasons to not stake LPs! Impermanent loss for example..).
While the attacker got 140k BOGs, the whole platform got ~1m BOGs of additional supply, and which is why they are currently struggling to recover.
However, looking at the project’s roadmap, Bogged Finance seems to have been a BSC gem that was hidden. They really are building interesting infrastructure for the whole BSC ecosystem and I have no doubt they will recover from this hit. Being attacked doesn’t mean the end of the project: it might actually be an opportunity to get some visibility depending on how the admins solve the issue. I’m interested to see how their devs will tackle this delicate situation, and I might write another post on their solution.
Stay tuned!
