BonqDAO protocol suffers $120M loss after oracle hack

Published at: Feb. 2, 2023

A small-scale decentralized autonomous organization (DAO) has suffered a rather sizeable smart contract exploit leading to an estimated $120 million being stolen from its protocol.

BonqDAO, which is behind the Bonq protocol, told its Twitter followers on Feb. 1 that its protocol was exposed to an oracle hack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token.

Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.

— BonqDAO (@BonqDAO) February 1, 2023

An independent analysis from blockchain security firm PeckShield has estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens, and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens.

While the exploit took effect over several transactions, the largest was $82.19 million at 6:32pm UTC time on Feb. 1, according to multi-chain portfolio tracker DeBank.

Most of the high-scale transactions took place on the Polygon network.

How it happened

PeckShield explained that the exploiter was able to change the updatePrice function of the oracle in one of BonqDAO’s smart contracts which meant that they were able to manipulate the price of the wALBT token.

The @BonqDAO is exploited and its price oracle is manipulated to increase the #WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1

— PeckShield Inc. (@peckshield) February 1, 2023

This triggered the exploitation of the wALBT and BEUR. The hacker then swapped about $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.

On-chain security observer “Spreek” — who was one of the first to spot the exploit — stated to his 18,800 Twitter followers that the exploiter later dumped more BEUR and ALBT tokens for some USDC ($500,000) and 144 ETH (236,000).

PeckShield and others noted that the price of the BEUR and ALBT tokens went down considerably in a short period of time:

The actor then walks away by withdrawing the illicit gains with 113.8M #WALBT and 98M #BEUR (valued >$10M). Some of these tokens are then dumped, resulting in major drop! #WALBT dropped by >50% and #BEUR dropped by 34% pic.twitter.com/HEYxrcaB5Y

— PeckShield Inc. (@peckshield) February 1, 2023

In a follow up tweet, BonqDAO said it has paused the protocol and is working on a recovery solution.

“Other troves remain unaffected. Bonq protocol has been paused. We’re working on a solution that will allow users to withdraw all remaining collateral without repaying BEUR in the troves. It will be released tomorrow morning CET,” it said.

AllianceBlock — the token issuers of ALBT — also shared on Feb. 1, explaining to its 51,300 Twitter followers that an exploiter managed to gain access to 113.8 million ALBT tokens.

The team is in the process of removing all liquidity on Bonq and has halted exchange trading, it said, adding that no smart contracts were exploited on AllianceBlock.

ANNOUNCEMENTThere has been a recent incident involving several ALBT Troves on Bonq, with the attacker gaining access to around 110M ALBT.The incident is isolated to these Troves. None of our smart contracts was breached or compromised. pic.twitter.com/puntkIPK3G

— AllianceBlock (@allianceblock) February 1, 2023

The announcement from AllianceBlock also added that they would mint new ALBT tokens to those impacted by the exploit up until the time of the announcement.

Related: Tribe DAO votes in favor of repaying victims of $80M Rari hack

BonqDAO is a decentralized autonomous organization (DAO) which aims to provide self-soverign financial services to individuals and businesses interest-free without giving up ownership of their assets.

AllianceBlock is a decentralized infrastructure platform that connects traditional financial institutions to Web3 applications.

Tags
Dao
Related Posts
Advanced NFT’s ‘art legos’ will give tokens interactivity and long-lasting utility
Imagine a fantasy MMO role playing game in which every character is an NFT that can be equipped with other NFTs. A nonfungible token can be a suit of armor or a magic sword that can be put on the character to use in the game, stored in a backpack (itself an NFT), or sold at an auction house. The backpack holds other NFTs the player collects while in the game: Magic potions that give more strength or speed, food to keep the character moving at full speed, rope that can be used to climb a building. Even a curse …
Decentralization / June 18, 2021
Bent Finance confirms pool exploit, advises investors to withdraw funds
Staking and farming platform Bent Finance joins the list to become the sixth crypto establishment to get hacked in December. The acknowledgment of the attack was followed by requesting investors to withdraw their pool funds and disabling the reward claims on the compromised platform. Bent Finance first realized the exploit on Monday at roughly 8:55 PM EST, a timeline when the company reported no loss of funds. However, the community suspected a rug-pull event when blockchain investigator PeckShield allegedly located the source of the hack transactions. We have located the hack tx, which interestingly is sent from the Bent Finance: …
Blockchain / Dec. 21, 2021
Multichain recovers $2.6M stolen funds, to reimburse losses on condition
After a month-long fight against an ongoing exploit, cross-chain router protocol Multichain announced the recovery of nearly 50% of the total stolen funds, worth nearly $2.6 million of cryptocurrencies. The team has also released a compensation plan to reimburse the users’ losses. On Jan. 10, blockchain security expert Dedaub alerted Multichain about two vulnerabilities in its liquidity pool and router contracts — affecting eight cryptocurrencies including wrapped ETH (WETH), wrapped BNB (WBNB), Polygon (MATIC) and Avalanche (AVAX). 1/3 We recently identified the "phantom functions" code pattern, which would have led to likely the largest crypto hack ever. Your code may …
Blockchain / Feb. 19, 2022
Fei Protocol founder proposes ghosting Tribe DAO following hack repayment
An attack in April 2022, which drained off nearly $80 million from various Rari Fuse pools, required the decentralized finance (DeFi) platform Fei Protocol to come up with a solution that minimizes damage to the ecosystem. Fei Labs’ latest proposal, which partly recommends revoking participation from Tribe DAO, received mixed sentiments from the community. Fei Protocol founder Joey Santoro announced the latest proposal, TIP-121: Proposal for the future of the Tribe DAO, revealing the company’s intent to reimburse Fuze victims. It also details plans for asset redemption and the distribution of protocol-controlled value (PCV) assets that manage the liquidity and …
Altcoin / Aug. 20, 2022
Can Web3 be hacked? Is the decentralized internet safer?
Web3 came into existence posed as a blockchain-powered disruption to the current state of the internet. Yet, as a nascent technology, a fog of assumptions plagues discussions about the real capabilities of Web3 and its role in our day-to-day lives. Considering the promise of a decentralized internet using public blockchains, a complete transition to Web3 would require scrutiny across several factors. Out of the lot, security stands as one of the most crucial features as, in a Web3-powered world, tools and applications hosted over the blockchains go mainstream. Smart contract vulnerabilities While the blockchains that host Web3 applications remain impenetrable …
Adoption / Aug. 21, 2022