BonqDAO suffers $120 Mln exploit, Allianceblock tokens worth $12 Mln stolen
- The hacker changed the update price function of the oracle in one of BonqDAO’s smart contracts leading to price manipulation of the wALBT token.
- The $120 million loss comprised of $108 million from 98.65 million BEUR tokens and around $11 million from 113.8 million wALBT tokens.
On February 1, BonqDAO-a decentralized borrowing protocol revealed that its pRotocol was subjected to an oracle hack. The hack, which allowed the hacker to manipulate the price of the AllianceBlock (ALBT) token, lead to losses of approximately $120 Million.
According to PeckShield, the $120 million loss comprised $108 million from 98.65 million BEUR tokens and around $11 million from 113.8 million wrapped-ALBT (wALBT) tokens. The attack was first brought to notice by the crypto Twitter community when they witnessed the price of the BEUR and ALBT tokens plunging considerably in a short period of time.
Detailing how the exploit took place, PeckShield states that the hacker changed the updatePrice function of the oracle in one of BonqDAO’s smart contracts leading to the manipulation of the price of the wALBT token. PeckShield further added that the attacker then swapped around $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.
AllianceBlock disclosed on Twitter that the attacker breached individual “Troves” — smart contracts controlled by users and used to manage deposits — on the related platform Bonq. It further noted that the exploit is isolated to the BonqDAO troves, and no smart contracts were breached. Both teams added that they worked on removing liquidity to mitigate the hacker converting the stolen tokens into other assets and halted all exchange trading.
“Other troves remain unaffected. Bonq protocol has been paused. We’re working on a solution that will allow users to withdraw all remaining collateral without repaying BEUR in the troves. It will be released tomorrow morning CET,” BonqDAO’s tweet reads.
Reportedly, during the oracle hack, the attacker also minted 100 million BEUR tokens, decreasing their price to almost zero, which eventually fuelled the liquidation of the affected ALBT troves. AllianceBlock had added that it had taken a snapshot of holders before the exploit and will mint and airdrop new albt tokens to users impacted by the exploit.