A small decentralized autonomous organization (DAO) has suffered a rather sizeable smart contract exploit, leading to an estimated $120 million being stolen from its protocol.
BonqDAO told its Twitter followers on Feb. 1 that its Bonq protocol was exposed to an oracle hack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token.
Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.
— BonqDAO (@BonqDAO) Şubat 1, 2023
Bağımsız analiz from blockchain security firm PeckShield has estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens.
While the exploit took effect over several transactions, the largest was $82.19 million at 6:32 pm UTC time on Feb. 1, göre to multichain portfolio tracker DeBank.
Most of the high-scale transactions took place on the Polygon network.
Nasıl oldu
PeckShield explained that the exploiter was able to change the updatePrice function of the oracle in one of BonqDAO’s smart contracts, which meant that they were able to manipulate the price of the wALBT token.
The @BonqDAO is exploited and its price oracle is manipulated to increase the #WALBT price. Here is the example hack tx: https://t.co/YPxXMr2nkf pic.twitter.com/XrzExHY6m1
- PeckShield Inc. (@peckshield) Instagram Profilini Görüntüle Şubat 1, 2023
This triggered the exploitation of the wALBT and BEUR. The hacker then swapped about $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.
On-chain security observer “Spreek” — who was one of the first to spot the exploit — söyledi his 18,800 Twitter followers that the exploiter later dumped more BEUR and ALBT tokens for $500,000 in USDC and 144 ETH ($ 236,000).
PeckShield and others noted that the price of the BEUR and ALBT tokens went down considerably in a short period of time:
Oyuncu daha sonra 113.8M ile yasadışı kazançları geri çekerek uzaklaşıyor. #WALBT ve 98M #BEUR (değeri >10 milyon dolar). Bu belirteçlerden bazıları daha sonra çöpe atılır ve bu da büyük düşüşle sonuçlanır! #WALBT >%50 düştü ve #BEUR 34% düştü pic.twitter.com/HEYxrcaB5Y
- PeckShield Inc. (@peckshield) Instagram Profilini Görüntüle Şubat 1, 2023
In a follow up tweet, BonqDAO said it has paused the protocol and is working on a recovery solution.
“Other troves remain unaffected. Bonq protocol has been paused. We’re working on a solution that will allow users to withdraw all remaining collateral without repaying BEUR in the troves. It will be released tomorrow morning CET,” it said.
AllianceBlock — the token issuers of ALBT — also shared the news on Feb. 1, explaining to its 51,300 Twitter followers that an exploiter managed to gain access to 113.8 million ALBT tokens.
The team is in the process of removing all liquidity on Bonq and has halted exchange trading, it said, adding that no smart contracts were exploited on AllianceBlock.
DUYURU
Yakın zamanda Bonq'ta birkaç ALBT Troves'un dahil olduğu bir olay yaşandı ve saldırgan yaklaşık 110 milyon ALBT'ye erişim sağladı.
Olay bu Troves'a özel. Akıllı sözleşmelerimizin hiçbiri ihlal edilmedi veya tehlikeye atılmadı. pic.twitter.com/puntkIPK3G
- AllianceBlock (@allianceblock) Şubat 1, 2023
The announcement from AllianceBlock also added that they would mint new ALBT tokens to those impacted by the exploit up until the time of the announcement.
İlgili: Kabile DAO, 80 milyon dolarlık Rari hack kurbanlarının geri ödenmesi lehine oy verdi
BonqDAO is a merkezi olmayan özerk organizasyon that aims to provide self-sovereign financial services to individuals and businesses interest-free without giving up ownership of their assets.
AllianceBlock is a decentralized infrastructure platform that connects traditional financial institutions to Web3 applications.
Source: https://cointelegraph.com/news/bonqdao-protocol-suffers-120m-loss-after-oracle-hack