BOG Flash Loan Attack: What Happened, and what’s next — Token Migration.
IMPORTANT: DO NOT BUY DURING THIS PERIOD.
Contents
- Update 24/05
- Summary
- What happened
- About the exploit
- The plan forward
Update 24/05/2021 3:19PM UTC
The Bogged Finance Token Migration is taking longer than expected. The funds are being held securely in this wallet, until redeployment is complete. We are excited to launch the new version of the BOG Contract with over 7.5 million tokens burned. We will announce a countdown for the relaunch before launch.
New contract address (not yet deployed): 0xB09FE1613fE03E7361319d2a43eDc17422f36B09
It is *not* live yet. You will not be able to add it to metamask/trustwallet yet — we will announce when you can. Please do not buy “new bog” from anyone claiming to sell it.
Thanks, BogTools Team.
Summary — TL;DR
- The $BOG token was exploited by an unknown attacker who was able to drain $3m of the $6m liquidity using a complex Flash-Loan based attack.
- The attack was mitigated within 15 blocks of it starting to prevent a full drain of the liquidity pools.
- The attack resulted in the minting of over 15 Million $BOG tokens, which for the most part were distributed to $BOG stakers.
- We’re force migrating the contract utilising the same exploit the hacker used, to remove illegitimately obtained tokens. Everyone will receive their LP tokens and $BOG on a new contract over the coming hours.
- Tokens purchased from the market will not be removed during the migration — only tokens that were minted into peoples staking wallets, and a % of the PancakeSwap tokens will be removed.
- We expect to have a much smaller circulating supply than we do currently, by the end of this process.
- IMPORTANT: DO NOT BUY DURING THIS PERIOD.
What happened?
At Approximately 2:30PM UTC on Saturday the 22nd of May the $BOG token contract was exploited utilising a complex flash-loan based attack targeting the transaction fee.
Thankfully, some of our key team was in a Discord meeting discussing charts and observed the beginning of the attack and was able to mitigate it before the attacker was able to drain the Liquidity Pool of all the funds.
The attack was mitigated within 45 seconds, but not before the attacker made off with $3m of liquidity funds.
About the Exploit
The attacker was able to utilize flash loans to exploit a flaw in the staking section of the BOG smart contract to manipulate the staking rewards and cause an inflation of supply — without the transaction fee being charged and burned — causing net inflation.
The attacker used a specially designed contract to automate this process and was only hampered by the transaction limit (47,500 BOG).
The attacker was able to make 11 of these transactions in the space of 45 seconds.
While in a Discord Meeting discussing the launch of Stop Losses, Our Lead Developer and Co-Founder John noticed the irregular activity appearing in the charts UI, and was able to patch the exploit in 45 seconds (15 blocks) by disabling the transaction fee — but not before the attacker had made off with 11,358 BNB. Approximately half the tokens' liquidity.
The Plan Forward — A forced Migration, Burn and Redeploy
Currently, while you are reading this, we are executing a white hat attack on the contract to remove the liquidity and migrate it to a new contract.
We are draining the Liquidity Pool of all the funds, using the same exploit the attacker used.
We will then be redeploying an updated version of the contract to BSC with the majority of the minted tokens burned.
We’re hoping to burn approximately 7.5m tokens in this migration, but the exact number may change.
We will then airdrop the Liquidity Tokens back to their rightful owners, and then return $BOG legitimately owned and purchased to their owners. [READ: If you paid for your BOG, It is SAFE.] Please bare with us through this process, as it may take up to 24 hours — but we’re hoping to have it done in a lot less.
The new contract address for BOG will be announced on telegram.
We expect to have a much smaller circulating supply than we do currently after this migration.
Anyone who purchased $BOG after the hack but before the snapshot was taken at 11AM UTC will keep their new $BOG, as they purchased it from the market fairly.
IMPORTANT: DO NOT BUY THE OLD BOG TOKEN (0xd7…)
Not everyone will like this solution, but this will remove as much of the illegitimately obtained $BOG from circulation without affecting those who acted honestly during the attack.
FAQ:
Q: What’s happening to my BOG? Why is it worthless?
A: Bog V1 is having its liquidity drained for a forced migration to a new contract, you will receive new BOG in your wallet soon — and new LP tokens if you were staking.
Q: How long will this migration take.
A: The migration may take up to 48 hours, it’s important we get this right. We’re hoping to have it completed sooner, however.
Q: What will happen with the tools during this time?
A: Sniper and Stop Losses will continue to work with OLD Bog. New Limit Orders will be unavailable for a while.
Q: I was providing LP elsewhere, will I be compensated?
A: Yes, people who were providing LP outside of the BNB pools in Pancakeswap will be compensated in due course with new LP.
Q: How will holders be compensated for their losses?
A: The lowered supply (by approximately 7 million) will allow for the best price and fundamentals-based recovery possible. This is truly the only way to compensate holders — as anything else is a mirage.
Q: How will stakers be compensated for lost staking rewards?
A: These staking rewards were not legitimate, and the majority of these staking rewards will be NOT be migrated over and will instead be burned.
Q: What if I sold my hacked BOG from staking rewards?
A: People who sold their illegitimate BOG will have the BOG deducted from their Account and LP in the migration.
Q: What if I bought $BOG at a discount after the attack.
A: Everyone who bought $BOG after the attack will keep their tokens, as they were legitimately bought. We are really appreciative for our new holders. (Please note: This DOES NOT include BOG traded after this article was published, as the snapshot has now been taken.)
A personal note
We are aware that because of the amount of time required to perform this migration, and the fact we have to essentially rug the contract to perform the migration, it will be a stressful time for everyone with a lot of fear and doubt in the community.
That said, we’re confident that this is the best way forward, it will result in over 7.5m illegitimately obtained tokens being removed from supply and will put us on the best path to a recovery in price.
Our team has been building BogTools for over three months, and we are absolutely determined to not let this hack set back our roadmap and plans for $BOG, BogTools and Bogged.Finance.
If you’re new to $BOG, I’d really love it if you took some time to familiarise yourself with some of the tools we’re building, and our roadmap.
Roadmap: https://docs.bogtools.io/roadmap
Tools:
- Charts: https://charts.bogged.finance/
- Trading Tools: https://bogged.finance/
Our team is in it for the long haul, and we have a few exciting things to look forward to: Multichain, Limit Orders v2 and more in the coming weeks.
If you have questions, please tag me @LukeBogTools on the BogTools telegram, I will try my best to answer everyone's questions.
— Luke, and the BogTools Team.