BonqDAO protocol suffers $120M loss after oracle hack

A small-scale decentralized autonomous enactment (DAO) has suffered a alternatively sizeable astute declaration exploit starring to an estimated $120 cardinal being stolen from its protocol.

BonqDAO, which is down the Bonq protocol, told its Twitter followers connected Feb. 1 that its protocol was exposed to an oracle hack that allowed the exploiter to manipulate the terms of the AllianceBlock (ALBT) token.

Bonq protocol was exposed to an oracle hack, wherever exploiter accrued the ALBT terms and minted ample amounts of BEUR. The BEUR was past swapped for different tokens connected Uniswap. Then, the terms was decreased to astir zero, which triggered the liquidation of ALBT troves.

— BonqDAO (@BonqDAO) February 1, 2023

An autarkic analysis from blockchain information steadfast PeckShield has estimated the nonaccomplishment from the Bonq hack to beryllium astir $120 million, comprising $108 cardinal from 98.65 cardinal BEUR tokens, and $11 cardinal from 113.8 cardinal wrapped-ALBT (wALBT) tokens.

While the exploit took effect implicit respective transactions, the largest was $82.19 cardinal astatine 6:32pm UTC clip connected Feb. 1, according to multi-chain portfolio tracker DeBank.

Most of the high-scale transactions took spot connected the Polygon network.

How it happened

PeckShield explained that the exploiter was capable to alteration the updatePrice relation of the oracle successful 1 of BonqDAO’s astute contracts which meant that they were capable to manipulate the terms of the wALBT token.

The @BonqDAO is exploited and its terms oracle is manipulated to summation the #WALBT price. Here is the illustration hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1

— PeckShield Inc. (@peckshield) February 1, 2023

This triggered the exploitation of the wALBT and BEUR. The hacker past swapped about $500,000 worthy of BEUR for USDC connected Uniswap earlier burning each 113.8 cardinal wALBT to unlock ALBT.

On-chain information perceiver “Spreek” — who was 1 of the archetypal to spot the exploit — stated to his 18,800 Twitter followers that the exploiter aboriginal dumped much BEUR and ALBT tokens for immoderate USDC ($500,000) and 144 ETH (236,000).

PeckShield and others noted that the terms of the BEUR and ALBT tokens went down considerably successful a abbreviated play of time:

The histrion past walks distant by withdrawing the illicit gains with 113.8M #WALBT and 98M #BEUR (valued >$10M). Some of these tokens are past dumped, resulting successful large drop! #WALBT dropped by >50% and #BEUR dropped by 34% pic.twitter.com/HEYxrcaB5Y

— PeckShield Inc. (@peckshield) February 1, 2023

In a travel up tweet, BonqDAO said it has paused the protocol and is moving connected a betterment solution.

“Other troves stay unaffected. Bonq protocol has been paused. We’re moving connected a solution that volition let users to retreat each remaining collateral without repaying BEUR successful the troves. It volition beryllium released time greeting CET,” it said.

AllianceBlock — the token issuers of ALBT — besides shared connected Feb. 1, explaining to its 51,300 Twitter followers that an exploiter managed to summation entree to 113.8 cardinal ALBT tokens.

The squad is successful the process of removing each liquidity connected Bonq and has halted speech trading, it said, adding that nary astute contracts were exploited connected AllianceBlock.

— AllianceBlock (@allianceblock) February 1, 2023

The announcement from AllianceBlock besides added that they would mint caller ALBT tokens to those impacted by the exploit up until the clip of the announcement.

Related: Tribe DAO votes successful favour of repaying victims of $80M Rari hack

BonqDAO is simply a decentralized autonomous enactment (DAO) which aims to supply self-soverign fiscal services to individuals and businesses interest-free without giving up ownership of their assets.

AllianceBlock is simply a decentralized infrastructure level that connects accepted fiscal institutions to Web3 applications.