BonqDAO Exploited for $90M

  • A hacker was able to manipulate the price of the AllianceBlock token on BonqDAO, which allowed him to drain close to $90 million worth of crypto from the protocol.
  • Both platforms have paused their services, and are currently in the process of removing liquidity as to hinder the hacker’s ability to convert the stolen tokens.
hacker

Shutterstock

Decentralized autonomous organization (DAO) Bonq became the victim of an oracle hack, which allowed an exploiter to siphon roughly $90 million in crypto from the platform, BonqDAO said via Twitter on 2 February.

According to the announcement, the exploiter was able to manipulate the price of the AllianceBlock token (ALBT), and over several transactions was able to drain around 98 million BEUR — a Bonq token pegged to the euro — and 110 million WALBT. Since the incident, both Bonq and AllianceBlock have paused their services and are in the process of removing liquidity as to hinder the hacker’s ability to convert the stolen tokens.

While there is still no official explanation on how the exploit happened, blockchain security firm PeckShield explained that the hacker was able to change a function of the oracle (updatePrice) in one of Bonq’s smart contracts, allowing him to manipulate the price of WALBT. The attacker increased the price of WALBT and minted a large amount of BEUR, after which the price was decreased to almost zero, triggering the liquidation of ALBT troves.

Bonq is now working on a solution to allow users to withdraw their remaining collateral without repaying the BEUR in the troves. AllianceBlock also noted it was working on a plan to compensate affected ALBT holders, and that it has taken a snapshot of holders before the attack and will mint and airdrop new ALBT tokens in the near future. The price of both tokens has fallen down significantly since the incident, with BEUR losing 23% in the last 24 hours, while ALBT lost more than 60% of its price.

Discussion
Related Coverage
Euler Finance Gives $200M Exploiter an Ultimatum
  • DeFi lending protocol Euler Finance has given the exploiter 24 hours to return 90% of the $197 million he stole in a flash-loan attack on Monday.
  • If the funds were not returned in time, the protocol is ready to post a $1 million bounty on any information that could lead to the arrest of the attacker.
March 15, 2023, 12:14 PM
hack

Shutterstock

Euler Finance Exploited for $197M in Flash Loan Attack
  • The attacker carried out multiple transactions to steal 85,818 staked ether (stETH), 34.5 million USDC, 849 wrapped Bitcoin (WBTC), and 8.9 million DAI.
  • Euler Finance is now working with security professionals and law enforcement trying to rectify the situation, and will provide more information in the near future.
DeFi Protocol Tender.fi Exploited by Alleged White Hat Hacker
  • DeFi lender Tender.fi has paused all borrowing while investigating an exploit which saw an attacker borrow $1.6 million worth of assets using only 1 GMX token.
  • The attacker, however, appears to be a white hat hacker who the platform has already contacted in order to remedy the situation.