The team behind the Memecoin protocol, Based Doge (BOGE), has confirmed that it was exploited on May 27. The attack was similar to the recent Normie exploit. The team expressed their regret over the incident and stated that they will compensate all the victims of the attack by taking a snapshot of current token balances and relaunching the project.
Blockchain data reveals that at 5:48 pm UTC on May 27, an account ending in bAOC initiated more than 120 transactions on the Base network. Each transaction resulted in a significant amount of BOGE being transferred into the account, totaling approximately 91.4 million BOGE.
The attacker called an unverified function on a smart contract located at an address ending in 1a42 within each transaction. Since the contract is unverified, the code for this function is not readable by humans.
Immediately after receiving the 91.4 million BOGE, the attacker exchanged them for around 4.47 Ether (ETH), equivalent to approximately $16,926 at that time.
Although the attacker’s gain was relatively small, it had a significant impact on the price of BOGE. Prior to the attack, the price of BOGE was $0.002983, with a total supply of 1 billion coins. This resulted in a market cap of about $2.9 million.
Following the attack, the price of BOGE plummeted to 0.000072, causing the 1 billion existing coins to lose over $2.8 million in value.
An analysis by Neptune Mutual, a Web3 insurance provider, revealed that the previous Normie attack was caused by a faulty function called “get_premarket_user.” This function allowed users to mint new tokens if they were either a premarket user or had the same balance as the deployer wallet. The attacker took advantage of this to become a “privileged user” and minted over 170,000 Normie tokens, resulting in losses exceeding $800,000.
This incident highlights the ongoing risk of smart contract exploits in the crypto space. Earlier in May, an attacker drained $20 million from the DeFi protocol Sonne Finance. On the same day, an ex-employee of the Solana memecoin platform Pump.fun allegedly exploited the protocol using privileged access. The alleged attacker claimed to have been arrested by U.K. police in connection with the incident.