BonqDAO Protocol Suffers $120 Million Loss in Oracle Hack
3 min read
The BonqDAO, a small decentralized autonomous organization (DAO), experienced a major smart contract exploit resulting in the theft of approximately $120 million from its protocol.
On February 1st, BonqDAO informed its Twitter followers that the Bonq protocol was vulnerable to an oracle hack, which allowed the attacker to manipulate the price of the AllianceBlock (ALBT) token.
The Bonq protocol suffered a hack by an oracle that artificially inflated the price of ALBT, enabling the creation of large amounts of BEUR. These BEUR tokens were traded for other assets on Uniswap, before the price was manipulated to plummet, causing mass liquidation of ALBT holdings. (Tweet by @BonqDAO on February 1, 2023)
According to report from PeckShield, a blockchain security company, the Bonq hack resulted in losses estimated at $120 million. The majority of the loss, $108 million, was from the 98.65 million BEUR tokens while $11 million came from 113.8 million wALBT tokens.
DeBank, a multi-chain portfolio tracker, reported that the biggest transaction of the exploit occurred at 6:32 PM UTC on Feb. 1 and was worth $82.19 million.
The bulk of these high-volume transactions occurred on the Polygon network.
How it Occurred
According to PeckShield, the attacker modified the “updatePrice” function of an oracle in one of BonqDAO’s smart contracts, granting them the ability to distort the value of the wALBT token.
The @BonqDAO is exploited and its price oracle is manipulated to increase the #WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1
— PeckShield Inc. (@peckshield) February 1, 2023
The exploitation of wALBT and BEUR resulted in the hacker swapping $500,000 worth of BEUR for USDC on Uniswap and burning all 113.8 million wALBT to access ALBT.
The first to detect the exploit, “Spreek”, reported that the hacker sold additional BEUR and ALBT for USDC ($500,000) and 144 ETH (236,000).
The value of BEUR and ALBT declined significantly in a short span of time, as noted by PeckShield and others.
The actor withdrew 113.8 million #WALBT and 98 million #BEUR (valued at more than $10 million), and then walked away. This led to a significant drop in the value of the tokens, with #WALBT falling by more than 50% and #BEUR dropping by 34% after some of the tokens were dumped pic.twitter.com/HEYxrcaB5Y
— PeckShield Inc. (@peckshield) February 1, 2023
BonqDAO has announced that it has temporarily paused its protocol and is working on a recovery solution for its users.
The team is developing a solution that will allow users to withdraw all remaining collateral without repaying BEUR in the troves.
This solution is set to be released tomorrow morning CET. AllianceBlock, the token issuer of ALBT, also confirmed that an exploiter gained access to 113.8 million ALBT tokens.
In response, the team is removing all liquidity from Bonq and has temporarily suspended exchange trading. No smart contracts were compromised on AllianceBlock.
ANNOUNCEMENT
Recently, an attack resulted in the compromise of several ALBT Troves on Bonq, leading to the unauthorized access of approximately 110M ALBT.
This incident was limited to the Troves and did not affect the security of our smart contracts. pic.twitter.com/puntkIPK3G
— AllianceBlock (@allianceblock) February 1, 2023
AllianceBlock announced that they would mint new ALBT tokens to compensate those affected by the exploit until the time of the announcement.
“BonqDAO is a decentralized autonomous organization that offers self-sovereign financial services, allowing individuals and businesses to access interest-free services without losing control of their assets.
AllianceBlock, on the other hand, is a decentralized infrastructure platform bridging traditional finance and Web3 applications.”
