After a year 2022 filled with hacks, decentralized finance (DeFi) seemed rather spared in January. At least until today: the BonqDAO protocol on Polygon (MATIC) suffered an oracle attack resulting in the loss of 120 million dollars.
A type hack “oracle”
In a Twitter post, the BonqDAO protocol has announced that it has been the victim of an “oracle” type attack leading to its collapse. At the time of writing, the damage is estimated at nearly $120 million.
Bonq protocol was exposed to an oracle hack, where exploit increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.
— BonqDAO (@BonqDAO) February 1, 2023
Let’s set the context to better understand this attack. BonqDAO is a rather special lending protocol. Indeed, it allows a user to lock assets in troves – smart contracts that only he can access – and to recover in return stablecoin BEUR, backed by the dollar.
Concretely, the hacker managed to modify and enormously increase the price of the ALBT token of the AllianceBlock oracle used by the BonqDAO protocol. Thus, he was able to use the BEUR mint protocol, which he eventually exchanged for other tokens via Uniswap. This caused the ALBT to drop to zero, liquidating all positions in the troves.
Tea @BonqDAO is exploited and its price oracle is manipulated to increase the #WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1
— PeckShield Inc. (@peckshield) February 1, 2023
This process is obviously reminiscent the attack on Mango Markets last Octoberresulting in a loss of $114 million.
What is surprising in this case, it is the childlike simplicity with which the hacker was able to tamper with the price of the ALBT token in the oracle. As you can see from the transaction history, he just changed one line of code and voila.
👉 To go further – What is DeFi? All about decentralized finance
🎁 Cryptoast Research Launch Offer
1st Newsletter Free with the code TOASTNL
$120 million stolen
Blockchain-focused security firm Peckshield estimated the losses suffered from the attack at around 120 million dollars, including 98 million in BEUR and 12 million in ALBT. The individual allegedly managed to transfer funds from Polygon to Ethereum, which was then transformed into 1.2 million Ether (ETH) and 500,000 DAI.
For now, BonqDAO said it has paused the protocol and work on a recovery solution and recovery of stolen funds.
The AllianceBlock oracle, which bridges decentralized finance and traditional finance, confirmed the incident on February 1. The team reported that the hackers managed to gain access to around 110 million ALBT tokens. However, only the ALBT troves are concerned and the others are therefore intact.
“The other troves are unaffected. The Bonq protocol has been paused. We are working on a solution that will allow users to withdraw all remaining collateral without refunding BEUR in troves. It will be published tomorrow morning. »
At this time, all AllianceBlock activities are also suspended. The platform, however, said that it would take steps to reimburse those affectedin particular by taking a snapshot before the attack and performing an airdrop of tokens.
“The AllianceBlock and Bonq teams, including all affected partners, are in the process of removing liquidity and halting all transactions. »
Currently, the oracle is busy removing all cash from Bonq, specifying however that none of AllianceBlock’s smart-contracts is concerned or damaged.
👉 Secure your cryptocurrency with physical wallets from Ledger
The best way to secure your cryptocurrencies 🔒
🔥 The world leader in crypto security
Newsletter 🍞
Receive a summary of crypto news every Monday by email 👌
What you need to know about affiliate links. This page presents assets, products or services relating to investments. Some links in this article are affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no impact on you and you can even get a bonus by using our links.
Investments in cryptocurrencies are risky. Cryptoast is not responsible for the quality of the products or services presented on this page and could not be held responsible, directly or indirectly, for any damage or loss caused following the use of a good or service highlighted in this article. Investments related to crypto-assets are risky by nature, readers should do their own research before taking any action and only invest within the limits of their financial capabilities. This article does not constitute investment advice.
AMF recommendations. There is no guaranteed high return, a product with high return potential involves high risk. This risk-taking must be in line with your project, your investment horizon and your ability to lose part of this savings. Do not invest if you are not ready to lose all or part of your capital.
To go further, read our Financial Situation, Media Transparency and Legal Notices pages.