An attacker has stolen about $3.6 million from another decentralized finance (DeFi) project, Bogged Finance. The latest attack comes just days after a malicious actor carted away with $200 million in a flash loan attack on PancakeBunny.
An aftermath report published by security firm, PackShield, on May 23 revealed that the attack had a similar MO to that of PancakBunny. The attacker succeeded in inflating the price of the BOG token before dumping them on the market.
According to the security firm, the attacker was able to follow through with the exploit due to a bug that allowed him to increase the balance via self-transfer. The bug is designed to be deflationary by charging 5% of the transferred amount. While 1% of this percentage is burned, the remaining 4% is delegated to staking profits.
The hacker took advantage of this flaw to perform multiple flash swaps to repeatedly perform self-transfers to manipulate the staking profits. In total, the attacker performed nine flash swaps, which were used to add liquidity to the wBNB/BOG pool. The attacker performed 434 self-transfers totaling 18.74 million BOG and netted 151,000 BOG due to the bug. Afterward, he sold the BOG tokens, repaid the flash loans, and went away with a profit of $3.5 million.
Blogged Finance has announced that it will be moving to a new contract and expects to burn 7.5 million BOG tokens.
Considering the number of DeFi projects that have been springing up, one should expect that there will be more cases of flash loan exploits and even exit scams.