A small, autonomous, decentralized (dao) organization has undergone a relatively significant feat in the area of smart contracting, resulting in the theft of approximately $120 million of its protocol.
Bonqdao reported to his followers on Twitter on February. 1 that his bonq protocol was exposed to an oracle hack that allowed the attacker to manipulate the alliance price (albt) token.
The bonq protocol was exposed to oracle piracy, where the operator raised the price of albt and hit large quantities of butter. The pot was then exchanged for additional chips on uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.
— BonqDAO (@BonqDAO) February 1, 2023
An independent analysis from blockchain security firm PeckShield has estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens.
While the feat came into effect on a number of transactions, the most significant was $82.19 million at 6:32 p.m. on February. 1, according to multichain portfolio tracker DeBank.
Most large-scale transactions have taken place on Polygon.
How did this come to pass?
PeckShield explained that it was possible for the operator to amend the update.Oracle price feature in one of the BonqDAO smart contracts, which means they have been able to handle the price of the wALBT token.
The @BonqDAO is exploited and its price oracle is manipulated to increase the #WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1
— PeckShield Inc. (@peckshield) February 1, 2023
This caused the wALBT and BEUR to be exploited. The hacker then traded about $500,000 of BEUR against USDC on Uniswap and burned the $113.8 million wALBT to unlock ALBT.
On-chain security observer “Spreek” — who was one of the first to spot the exploit — told his 18,800 Twitter followers that the exploiter later dumped more BEUR and ALBT tokens for $500,000 in USDC and 144 ($236,000).
PeckShield and others noted that the price of BEUR and ALBT chips has decreased significantly in a short time:
The actor then walks away by withdrawing the illicit gains with 113.8M #WALBT and 98M #BEUR (valued >$10M). Some of these chips are then discarded, which leads to a significant drop! #WALBT dropped by >50% and #BEUR dropped by 34% pic.twitter.com/HEYxrcaB5Y
— PeckShield Inc. (@peckshield) February 1, 2023
In a follow-up tweet, BonqDAO reported that it has interrupted the protocol and is working on a recovery solution.
"There are other troves that are not affected. The bonq protocol has been put on hold. We are working on a solution that will enable users to remove all remaining guarantees without reimbursing beur in the troves. It's going to be published in the morning," he said.
Allianceblock, the symbolic transmitters of albt, also announced the announcement on February 2. 1, explaining to its 51,000 Twitter subscribers that an operator was able to access 113.8 million albt chips.
The team is removing all cash on Bonq and has shut down foreign exchange transactions, he said, adding that no smart deal has been exploited on AllianceBlock.
ANNOUNCEMENT
There has been a recent incident involving several ALBT Troves on Bonq, with the attacker gaining access to around 110M ALBT.
The incident is isolated in these barters. None of our intelligent contracts have been broken or compromised. pic.twitter.com/puntkIPK3G
— AllianceBlock (@allianceblock) February 1, 2023
About the Alliance announcement.Block also added that they would mint new ALBT tokens to those impacted by the exploit up until the time of the announcement.
Related: Tribe DAO votes in favor of repaying victims of $80M Rari hack
BonqDAO is a decentralized autonomous organization that aims to provide self-sovereign financial services to individuals and businesses interest-free without giving up ownership of their assets.
AllianceBlock is a decentralised infrastructure platform that links traditional financial institutions with Web3 apps.