1. Home
  2. BonqDAO

BonqDAO

Lack of liquidity mitigated damages to BonqDAO exploit: Report

After amassing $120 million in tokens through an infinite minting glitch, hackers reportedly only cashed out around $1 million due to a lack of liquidity on BonqDAO.

According to blockchain security firm CertiK, the damage caused to decentralized protocol BonqDAO on Feb. 1 may have been much less than initially thought. 

As told by CertiK, the attacker first borrowed 100 million BEUR, a euro stablecoin, with less than $1,000 in collateral due to a lack of controls on the collateralization ratio. If users set the parameter to zero, then the platform defaults to returning the "maximum value of uint256," allowing an astronomical sum of loans to be issued.

However, CertiK said that despite the attacker borrowing 100 million BEUR (around $120 million at the time of attack), the hacker only managed to withdraw around $1 million due to a lack of liquidity on the platform. Previously, blockchain security firms such as PeckSheild stated that around $120 million was lost during the attack.

Bonq is a fork of Liquity Protocol, which, similar to that blockchain, uses Troves to represent isolated debt positions. However, Bonq reportedly implemented a Community Liquidation Feature where 45 Troves with BEUR exposure were liquidated due to the incident. According to CertiK, the attack also impacted Troves containing approximately 110 million Alliance Block tokens (ALBT). That said, none of the Alliance Block smart contracts were breached during the incident, and the project has said it will airdrop new tokens to compensate affected holders.

Although a lack of liquidity appears to have mitigated damages to BonqDAO during the incidents, others were not so lucky. On Oct. 12, DeFi protocol Mango Markets initially lost $116 million after hacker Avraham Eisenberg manipulated the price of the MNGO token price, driving it up 30 times via enormous perpetual future contracts within a short period. This was possible as a relatively small initial capital was required to manipulate MNGO due to low liquidity. 

Related: How low liquidity led to Mango Markets losing over $116 million

Afterward, Eisenberg acquired a loan for $116 million using $423 million of his inflated MNGO holdings as collateral and siphoned funds from the platform. On Dec. 28, Eisenberg was arrested in Puerto Rico on charges of commodities manipulation and commodities fraud. 

Binance Bitcoin reserves hit January levels — months before BTC jumped 90%

BonqDAO protocol suffers $120M loss after oracle hack

An oracle hack allowed the exploiter to manipulate the price of the AllianceBlock token, leading to an estimated $120 million loss, according to Peckshield.

A small decentralized autonomous organization (DAO) has suffered a rather sizeable smart contract exploit, leading to an estimated $120 million being stolen from its protocol.

BonqDAO told its Twitter followers on Feb. 1 that its Bonq protocol was exposed to an oracle hack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token.

An independent analysis from blockchain security firm PeckShield has estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens.

While the exploit took effect over several transactions, the largest was $82.19 million at 6:32 pm UTC time on Feb. 1, according to multichain portfolio tracker DeBank.

Most of the high-scale transactions took place on the Polygon network.

How it happened

PeckShield explained that the exploiter was able to change the updatePrice function of the oracle in one of BonqDAO’s smart contracts, which meant that they were able to manipulate the price of the wALBT token.

This triggered the exploitation of the wALBT and BEUR. The hacker then swapped about $500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.

On-chain security observer “Spreek” — who was one of the first to spot the exploit — told his 18,800 Twitter followers that the exploiter later dumped more BEUR and ALBT tokens for $500,000 in USDC and 144 ETH ($236,000).

PeckShield and others noted that the price of the BEUR and ALBT tokens went down considerably in a short period of time:

In a follow up tweet, BonqDAO said it has paused the protocol and is working on a recovery solution.

“Other troves remain unaffected. Bonq protocol has been paused. We’re working on a solution that will allow users to withdraw all remaining collateral without repaying BEUR in the troves. It will be released tomorrow morning CET,” it said.

AllianceBlock — the token issuers of ALBT — also shared the news on Feb. 1, explaining to its 51,300 Twitter followers that an exploiter managed to gain access to 113.8 million ALBT tokens.

The team is in the process of removing all liquidity on Bonq and has halted exchange trading, it said, adding that no smart contracts were exploited on AllianceBlock.

The announcement from AllianceBlock also added that they would mint new ALBT tokens to those impacted by the exploit up until the time of the announcement.

Related: Tribe DAO votes in favor of repaying victims of $80M Rari hack

BonqDAO is a decentralized autonomous organization that aims to provide self-sovereign financial services to individuals and businesses interest-free without giving up ownership of their assets.

AllianceBlock is a decentralized infrastructure platform that connects traditional financial institutions to Web3 applications.

Binance Bitcoin reserves hit January levels — months before BTC jumped 90%