BonqDAO Exploited for $90M

Decentralized autonomous organization (DAO) Bonq became the victim of an oracle hack, which allowed an exploiter to siphon roughly $90 million in crypto from the platform, BonqDAO said via Twitter on 2 February.

According to the announcement, the exploiter was able to manipulate the price of the AllianceBlock token (ALBT), and over several transactions was able to drain around 98 million BEUR — a Bonq token pegged to the euro — and 110 million WALBT. Since the incident, both Bonq and AllianceBlock have paused their services and are in the process of removing liquidity as to hinder the hacker’s ability to convert the stolen tokens.

While there is still no official explanation on how the exploit happened, blockchain security firm PeckShield explained that the hacker was able to change a function of the oracle (updatePrice) in one of Bonq’s smart contracts, allowing him to manipulate the price of WALBT. The attacker increased the price of WALBT and minted a large amount of BEUR, after which the price was decreased to almost zero, triggering the liquidation of ALBT troves.

Bonq is now working on a solution to allow users to withdraw their remaining collateral without repaying the BEUR in the troves. AllianceBlock also noted it was working on a plan to compensate affected ALBT holders, and that it has taken a snapshot of holders before the attack and will mint and airdrop new ALBT tokens in the near future. The price of both tokens has fallen down significantly since the incident, with BEUR losing 23% in the last 24 hours, while ALBT lost more than 60% of its price.