A small-scale decentralized autonomous organization (DAO) suffered a fairly large smart contract exploit that led to an estimated $120 million of its protocol being stolen.
BonqDAO, the company behind the Bonq protocol, told its Twitter followers on February 3. 1 that its protocol was subjected to an oracle hack that allowed a scalper to manipulate the price of the AllianceBlock (ALBT) token.
The Bonq protocol was subjected to an oracle hack, in which the exploiter increased the price of ALBT and mined large amounts of BEUR. Then BEUR was replaced by other tokens on Uniswap. After that, the price was reduced to almost zero, which led to the liquidation of the ALBT troves.
– BonqDAO (BonqDAO) February 1, 2023
independent analysis From blockchain security firm PeckShield the loss from the Bonq hack is estimated to be around $120 million, comprising $108 million from 98.65 million BEUR tokens, and $11 million from 113.8 million ALBT (wALBT) tokens.
While the exploit is in effect on several transactions, the largest was $82.19 million at 6:32 PM UTC on February 3. 1, according to DeBank multi-chain wallet tracker.
Most of the large scale transactions took place on the Polygon network.
how did that happen
PeckShield explained that the exploiter was able to change the update price function of oracle in one of the BonqDAO smart contracts which means he was able to manipulate the price of the wALBT token.
the @employee Oracle is being exploited and its price is being manipulated to increase #WALBT price. Here’s an example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1
– PeckShield Inc. (pecksshield) February 1, 2023
This led to exploits of WALBT and BEUR. The hacker then exchanged $500,000 worth of BEUR for USDC on Uniswap before burning 113.8 million wALBT to open ALBT.
On-chain security controller “Spreak” – who was one of the first to discover the vulnerability – advertiser It was reported to his 18,800 Twitter followers that the scalper later dumped more BEUR and ALBT tokens for some USDC ($500,000) and $144. ETH (236,000).
PeckShield and others note that the price of the BEUR and ALBT tokens has dropped dramatically in a short period of time:
The actor then walks away by siphoning off the ill-gotten gains with 113.8 million #WALBT and 98 m #BEUR (value > $10 million). Some of these symbols are then eliminated, resulting in a significant drop! #WALBT decreased by > 50% and #BEUR decreased by 34% pic.twitter.com/HEYxrcaB5Y
– PeckShield Inc. (pecksshield) February 1, 2023
In a follow-up tweet, BonqDAO said it has paused the protocol and is working on a recovery solution.
“Other burial is not affected. The Bonq protocol has been paused. We are working on a solution that will allow users to withdraw all remaining collateral without paying BEUR in payments. It will be released tomorrow morning CET.”
AllianceBlock – the issuers of ALBT tokens – also shared the news on February 23 as well. 1, explaining to his 51,300 Twitter followers that a scalper gained access to 113.8 million ALBT tokens.
The team is in the process of removing all liquidity on Bonq and halting exchange trading, it said, adding that no smart contracts have been exploited in AllianceBlock.
Advertising
Recently there was an incident involving several ALBT Troves in Bonq, where the striker managed to get to around 110M ALBT.
The incident was isolated to these Troves. None of our smart contracts have been breached or compromised. pic.twitter.com/puntkIPK3G
– AllianceBlock (allianceblock) February 1, 2023
AllianceBlock’s announcement also added that they will be issuing new ALBT tokens for those affected by the exploit as of the time of the announcement.
Related: The DAO tribe is voting to compensate the victims of the RARY hack at $80 million
BonqDAO is a decentralized autonomous organization (DAO) that aims to provide interest-free, self-sovereign financial services to individuals and companies without giving up ownership of their assets.
AllianceBlock is a decentralized infrastructure platform that connects traditional financial institutions with Web3 applications.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23954510/acastro_STK459_12.jpg)
