BonqDAO protocol suffers $120 million loss after oracle hack

A small-scale decentralized autonomous organization (DAO) has suffered a fairly significant smart contract exploit that resulted in approximately $120 million being stolen from its protocol.

BonqDAO, which is behind the Bonq protocol, told its Twitter followers on February 1 that its protocol had been exposed to an oracle hack that allowed the exploiter to manipulate the price of the AllianceBlock token (ALBT).

An independent analysis by blockchain security firm PeckShield estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens and $11 million from 113.8 million ALBT-wrapped tokens (wALBT).

While the exploit took effect on several trades, the largest was $82.19 million at 6:32 p.m. UTC time on February 1, according to multichain portfolio tracker DeBank.

Most of the large-scale transactions took place on Polygon’s network.

How did it happen

PeckShield explained that the exploiter was able to change the oracle’s updatePrice function in one of BonqDAO’s smart contracts, which meant they were able to manipulate the price of the wALBT token.

This triggered the exploitation of wALBT and BEUR. The hacker then exchanged around $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.

On-chain security watcher “Spreek” – who was one of the first to spot the exploit – declare yourself to his 18,800 Twitter followers that the exploiter later dumped more BEUR and ALBT tokens for some USDC ($500,000) and 144 ETH (236,000).

PeckShield and others noted that the price of BEUR and ALBT tokens fell significantly in a short period of time:

In a subsequent tweet, BonqDAO said it has halted the protocol and is working on a recovery solution.

“Other coupons remain unaffected. The Bonq protocol has been paused. We are working on a solution that will allow users to withdraw all remaining collateral without paying the BEUR amount. It will be released tomorrow morning CET,” he said.

AllianceBlock — the issuers of ALBT tokens — also shared the news on February 1st, explaining to their 51,300 Twitter followers that an exploiter managed to gain access to 113.8 million ALBT tokens.

The group is in the process of removing all liquidity on Bonq and has stopped trading on the exchange, he said, adding that no smart contracts were exploited on AllianceBlock.

The announcement from AllianceBlock also added that they will be minting new ALBT tokens to those affected by the exploit until the time of the announcement.

Related: Tribe DAO votes to repay victims of $80 million Rari hack

BonqDAO is a decentralized autonomous organization (DAO) that aims to provide self-sovereign financial services to individuals and businesses interest-free without giving up ownership of their assets.

AllianceBlock is a decentralized infrastructure platform that connects traditional financial institutions with Web3 applications.