If Game of Thrones had the Red Wedding, May 2021 should go down in BSC history as the Red Month. The entire crypto space has been shaken to it’s core, with most coins and tokens trading at less than 50% of it’s ATH as investors flee to sell into stablecoins in order to weather the current market conditions.
To make things worse, the BSC has also recently seen several high profile hacks, such as the PancakeBunny exploit that saw it’s token, $BUNNY, go from $250 to $6 in minutes. It seems that hackers aren’t resting on their laurels however, and are out for more as yet another popular BSC project was targeted.
BoggedFinance
At approximately 2.30pm UTC on the 22nd of May 2021, BoggedFinance was drained of $3m in liquidity as a result of a flash loan based attack. In a similar vein to what happened with PancakeBunny, the hacker was able to generate large quantities of $BOG (BoggedFinance’s native token) and quickly proceeded to dump all of it in exchange for 11,358 BNB, worth $3m at the time.
With the increased supply, the price of $BOG immediately tanked from $8 to just over $1. Unlike PancakeBunny however, this hacker exploited the rewards generating mechanism of staking BOG-BNB, which means that anyone who had BOG-BNB LP tokens in a farm at the time also received a portion of the $BOG that were artificially generated by the hacker.
For those of you who are interested in the step by step technicalities behind it all, Peckshield has a post discussing just that right here.
Fortunately, BoggedFinance’s dev team happened to be in a meeting together when this happened. Mobilizing immediately, a patch preventing the exploit from occurring again was released within 45 seconds, saving the remaining $3m liquidity left in Bogged.
What’s next for Bogged
The key takeaway from this section is — Don’t buy $BOG right now! With thousands of artificial $BOG left sitting in BOG-BNB farmers wallets, not doing anything would subject $BOG to huge price swings if these farmers chose to dump their stacks when the price eventually recovers.
To avoid such a situation from happening, the Bogged team have come up with a three step plan:
- White hat hack their own contract — essentially rugging $BOG.
- Transferring all of those funds into another contract and minting new tokens — for the purposes of this article, I’ll just refer to these new tokens as $BOGV2.
- Burn $BOGV2 to reduce its supply before airdropping it to users based on a snapshot that was taken at 11:05AM UTC 23 May 2012.
By making $BOG worthless, this somewhat solves the problem described above. It’s not yet clear however, how the team intends differentiate between legitimate and artificial $BOG in farmers wallets at the time of the snapshot.
At the time of writing, Pancakeswap still shows signs of trading the now worthless $BOG. If you’re reading this, please do not buy $BOG. The new $BOGV2 has not yet been released and will be soon, so hold on to your funds till then. Unfortunately, if you’ve bought $BOG after the snapshot was taken, there is nothing the team can do to get you back your money or airdrop you new $BOGV2 tokens.
Ending Thoughts
As someone who’s lost money holding $BOG, am I a little salty? Yes.
It’s not immediately clear if there will be any consequence for those who sold all of their artificially generated $BOG immediately following the hack. Walking away with a tidy little sum, I suppose there IS a case to be made for those who sold in panic after seeing that the price of $BOG went from $8 to $1, though they *conveniently* didn’t question the fact that their wallets were now thousands of $BOG richer.
But, we knew that crypto would be a wild ride when we signed up and I guess we’ll just have to take the ups and downs that come along with it. At the very least, I do applaud the Bogged team for accomplishing everything they’ve managed to following the hack. It must have been a Herculean effort to mitigate the problem, deal with the panicked investors on social media and deploy a solution all at the same time. Yet somehow they’ve pulled through and have a solution almost ready to go within 48 hours.
Good luck Bogged team. I truly do hope $BOGV2 will be a success.
More information about the exploit and the team’s response can be found by going to there Medium here.
