Decoding BONq DAO’s $120 Million Exploit | QuillAudits



The Bonq protocol is governed by the Bonq DAO. Governance decisions are made by the DAO directors, the DAO members, and BNQ token holders who stake BNQ.

For more on Bonq DAO, visit the official Docs.


For more on Tellor, visit the official Docs.

The Attack Cause:

The Attack Steps:

  1. The attacker first staked 10 TRB on the TellorFlex oracle, where they falsely quoted the price of WALBT tokens as 5000000 USD. He then and created a Trove transferred 0.1 WALBT tokens to the Trove.

2. The price was now extremely high as the BONq contract used the manipulated data from Oracle. As a result, the attacker borrowed $100M $BEUR tokens and used Uniswap to convert them into USDC.
He then created a second Trove of the WALBT asset and transferred 13.2 WALBT tokens to it.

3. In the subsequent transaction, the attacker staked 10 TRB from a different address on TellorFlex once more, but this time he reported the price of WALBT tokens at 0.0000001 USD.

4. Then he liquidated multiple troves of WALBT tokens at a low token price, which he just updated.

5. Following the completion of both transactions, the attacker was ultimately successful in stealing 113.8 million WALBT tokens and 98 million BEUR tokens.

How could they prevent this attack?

After the Exploit:

Status of Funds:

At the time of writing this blog, the attacker currently has $18 left in his wallet.

Web3 security- Need of the hour

Want more Such Security Blogs & Reports?

Partner with QuillAudits :



Smart Contract Auditing Experts , Making web3 a safer place .

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store