After a year 2022 full of hacks, decentralised finance (DeFi) seemed rather unaffected this January. At least until today: the BonqDAO protocol on Polygon (MATIC) suffered an oracle attack resulting in the loss of $120 million
An oracle hack
In a Twitter post, the BonqDAO protocol announced that it had been the victim of an oracle attack that led to its collapse. At the time of writing, the damage is estimated to be close to $120 million.
Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.
– BonqDAO (@BonqDAO) February 1, 2023
Let’s set the context to better understand this attack. BonqDAO is a rather particular lending protocol. It allows a user to lock assets into troves – smart contracts that only they can access – and get back BEUR stablecoin, which is backed by the dollar.
Specifically, the hacker managed to modify and dramatically increase the price of the ALBT token of the AllianceBlock oracle used by the BonqDAO protocol. Thus, he was able to use the protocol to mint the BEUR, which he eventually exchanged for other tokens via Uniswap. This caused the ALBT to fall to zero, liquidating all trove positions.
The @BonqDAO is exploited and its price oracle is manipulated to increase the WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1
– PeckShield Inc (@peckshield) February 1, 2023
This process is obviously not unlike the attack on Mango Markets last October, which resulted in the loss of $114 million.
What is surprising in this case is the childlike simplicity with which the hacker was able to tamper with the price of the ALBT token in the oracle. As you can see from the transaction history, he simply changed one line of code and that was it.
$120 million stolen
Blockchain security firm Peckshield estimated the losses from the attack at around $120 million, including $98 million in BEUR and $12 million in ALBT. The individual reportedly managed to transfer funds from Polygon to Ethereum, which were then converted into 1.2 million Ether (ETH) and 500,000 DAI.
For the time being, BonqDAO said it has paused the protocol and is working on a solution to revive and recover the stolen funds.
The AllianceBlock oracle, which bridges the gap between decentralised and traditional finance, confirmed the incident on 1 February. The team said hackers managed to access around 110 million ALBT tokens. However, only ALBT tokens are affected, so the rest are unharmed.
” The other troves are not affected. The Bonq protocol has been paused. We are working on a solution that will allow users to remove all remaining collateral without paying back the BEURs in the troves. It will be published tomorrow morning. “
For the time being, all AllianceBlock activities are also suspended. However, the platform said it would take steps to refund those affected, including taking a snapshot before the attack and airdropping tokens.
“AllianceBlock and Bonq teams, including all affected partners, are in the process of removing cash and halting all transactions. “
Currently, the oracle is in the process of removing all cash from Bonq, however, stating that none of AllianceBlock’s smart contracts are affected or damaged.
