$120M Attack: The Case of BonqDAO
On February 1st, a malicious hacker infiltrated and took advantage of an insecure smart contract on a decentralized platform to steal cryptocurrency.
A devastating smart contract exploit has caused a small decentralized autonomous organization (DAO) to suffer a staggering loss of approximately $120 million from its protocol.
Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.
— BonqDAO (@BonqDAO) February 1, 2023
On Wednesday, BonqDAO alerted its Twitter followers of an oracle breach that enabled the attacker to manipulate the price of AllianceBlock (ALBT) token through their Bonq protocol.
PeckShield, a blockchain security company, recently analyzed the Bonq hack and estimated the total loss to be around $120 million. This sum is broken down into 98.65 million BEUR tokens ($108 million) and 113.8 million wrapped-ALBT (wALBT) tokens ($11 million).
The majority of the larger transactions were carried out on the Polygon network, and currently, the BonqDAO protocol has temporarily halted all transactions on its platform.
BonqDAO explained that the hacker swapped the newly minted BEUR, drastically decreasing its worth. The lender further disclosed how this malicious act accelerated the liquidation of ALBT funds at an even faster speed.
How did it happen?
According to PeckShield, an attacker manipulated the updatePrice function of BonqDAO’s smart contracts, enabling them to tamper with the price of wALBT tokens. The vulnerability in the oracle enabled the hacker to manipulate the market prices of listed tokens and generate new coins.
Fundamentally, the hacker could take advantage of a vulnerability and access large sums of money with minimal collateral backing at an inflated price. However, the hacker will not be able to keep all of the stolen funds; they are only obtainable up to a certain amount.
The vulnerability resulted from the absence of control on the collateralization ratio, granting access to an attacker who could “borrow” 100 million BEUR with less than $1,000 worth of collateral, as CertiK informs on their Twitter.
Following the attack, CertiK reports that financial liquidity on the platform was limited and only allowed for roughly $1 million in withdrawal.
The hacker could not swap the stolen tokens with those of equal value. When they were exchanged, 1,000 ALBT, worth $30, now had a diminished price of only $10 due to a lack of liquidity, causing high slippage fees.
This malicious act caused the exploitation of wALBT and BEUR, with nearly $500,000 worth of BEUR swapped for USDC on Uniswap. The hacker then burned all 113.8 million wALBT to unlock ALBT.
The BEUR and ALBT tokens experienced a sharp decline in a short amount of time.
Security observer “Spreek” was among the first to discover the exploit. He alerted his expansive Twitter followers that the hacker sold BEUR and ALBT tokens for an incredible amount of $500,000 in USDC and 144 ETH ($236k).
AllianceBlock to mint new tokens for affected users
AllianceBlock, the issuer of the ALBT token, has urged its community to remain calm about the BonqDAO hack as it only affected ALBT troves. Moreover, AllianceBlock reassured that no smart contracts connected with their system were breached at any point during this attack.
The ALBT issuer has asserted its desire to work with the Bonq team in order to rectify this issue. In addition, all trading activities on the network have been frozen. As a final resolution, AllianceBlock will mint new ALBT tokens and distribute them among all impacted users for compensation purposes.
Despite increased security efforts, crypto hackers have managed to steal a massive amount of assets worth $3.8 billion in 2022 alone. The most recent example is the attack on BonqDAO, which has once again revealed how vulnerable these platforms could be when exposed to malicious actors.
Restoring trust in web3 security. Lossless incorporates a new layer of blockchain transaction security, protecting projects and their communities from malicious exploits and associated financial loss.
Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft. Lossless protocol utilizes community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.
Twitter | Platform | Telegram | Discord | Website | Documentation | Github