BonqDAO suffers $120 Mln exploit, Allianceblock tokens worth $12 Mln stolen

Key Takeaways

•  The hacker changed the update price function of the oracle in one of BonqDAO’s smart contracts leading to price manipulation of the wALBT token.
• The $120 million loss comprised of $108 million from 98.65 million BEUR tokens and around $11 million from 113.8 million wALBT tokens.

On February 1, BonqDAO-a decentralized borrowing protocol revealed that its pRotocol was subjected to an oracle hack. The hack, which allowed the hacker to manipulate the price of the AllianceBlock (ALBT) token, lead to losses of approximately $120 Million.

According to PeckShield, the $120 million loss comprised $108 million from 98.65 million BEUR tokens and around $11 million from 113.8 million wrapped-ALBT (wALBT) tokens. The attack was first brought to notice by the crypto Twitter community when they witnessed the price of the BEUR and ALBT tokens plunging considerably in a short period of time.

The @BonqDAO is exploited and its price oracle is manipulated to increase the #WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1

— PeckShield Inc. (@peckshield) February 1, 2023

Detailing how the exploit took place, PeckShield states that the hacker changed the updatePrice function of the oracle in one of BonqDAO’s smart contracts leading to the manipulation of the price of the wALBT token. PeckShield further added that the attacker then swapped around $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.

ANNOUNCEMENT

There has been a recent incident involving several ALBT Troves on Bonq, with the attacker gaining access to around 110M ALBT.

The incident is isolated to these Troves. None of our smart contracts was breached or compromised. pic.twitter.com/puntkIPK3G

— AllianceBlock (@allianceblock) February 1, 2023

AllianceBlock disclosed on Twitter that the attacker breached individual “Troves” — smart contracts controlled by users and used to manage deposits — on the related platform Bonq. It further noted that the exploit is isolated to the BonqDAO troves, and no smart contracts were breached. Both teams added that they worked on removing liquidity to mitigate the hacker converting the stolen tokens into other assets and halted all exchange trading.

Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.

— BonqDAO (@BonqDAO) February 1, 2023

“Other troves remain unaffected. Bonq protocol has been paused. We’re working on a solution that will allow users to withdraw all remaining collateral without repaying BEUR in the troves. It will be released tomorrow morning CET,” BonqDAO’s tweet reads.

Reportedly, during the oracle hack, the attacker also minted 100 million BEUR tokens, decreasing their price to almost zero, which eventually fuelled the liquidation of the affected ALBT troves. AllianceBlock had added that it had taken a snapshot of holders before the exploit and will mint and airdrop new albt tokens to users impacted by the exploit.