A small-scale decentralized autonomous organization (DAO) has suffered a rather sizeable smart contract exploit leading to an estimated $120 million being stolen from its protocol.
BonqDAO, which is behind the Bonq protocol, told its Twitter followers on Feb. 1 that its protocol was exposed to an oracle hack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token.
Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.
— BonqDAO (@BonqDAO) February 1, 2023
An independent analysis from blockchain security firm PeckShield has estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens, and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens.
While the exploit took effect over several transactions, the largest was $82.19 million at 6:32pm UTC time on Feb. 1, according to multi-chain portfolio tracker DeBank.
Most of the high-scale transactions took place on the Polygon network.
How it happened
PeckShield explained that the exploiter was able to change the updatePrice function of the oracle in one of BonqDAO’s smart contracts which meant that they were able to manipulate the price of the wALBT token.
The @BonqDAO is exploited and its price oracle is manipulated to increase the #WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1
— PeckShield Inc. (@peckshield) February 1, 2023
This triggered the exploitation of the wALBT and BEUR. The hacker then swapped about $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.
On-chain security observer “Spreek” — who was one of the first to spot the exploit — stated to his 18,800 Twitter followers that the exploiter later dumped more BEUR and ALBT tokens for some USDC ($500,000) and 144 ETH (236,000).
PeckShield and others noted that the price of the BEUR and ALBT tokens went down considerably in a short period of time:
The actor then walks away by withdrawing the illicit gains with 113.8M #WALBT and 98M #BEUR (valued >$10M). Some of these tokens are then dumped, resulting in major drop! #WALBT dropped by >50% and #BEUR dropped by 34% pic.twitter.com/HEYxrcaB5Y
— PeckShield Inc. (@peckshield) February 1, 2023
In a follow up…
Click Here to Read the Full Original Article at Cointelegraph.com News…