Decoding BONq DAO’s $120 Million Exploit | QuillAudits

Summary:

On February 1, 2023, BONq DAO was exploited with an oracle attack. The attackers completely changed the price of AllianceBlock’s $ALBT tokens via an oracle manipulation technique, which led to estimated losses of about $120 million.

BONq DAO:

Bonq is a non-custodial, decentralized, and over-collateralized lending platform that allows users to borrow against their own tokens. Users can access the liquidity of their own digital assets by locking them up in a trove, which is a smart contract controlled only by the users, and minting a low volatility payment coin, BEUR, pegged to the Euro.

The Bonq protocol is governed by the Bonq DAO. Governance decisions are made by the DAO directors, the DAO members, and BNQ token holders who stake BNQ.

For more on Bonq DAO, visit the official Docs.

Tellor:

Tellor is an immutable, decentralized Oracle protocol that incentivizes an open, permissionless network of data reporting and data validation, ensuring that data can be provided by anyone and checked by everyone. BONq DAO uses Tellor as their price oracle.

For more on Tellor, visit the official Docs.

The Attack Cause:

The root cause of the attack was that the BONq Protocol incorrectly integrated its WALBT / BEURtrove with the Tellor Oracle. It immediately consumes the latest data point reported to the TellorFlexOracle. Anybody can stake 10 TRB tokens and update the price of a token in the Tellor Oracle. The reporter has to risk losing their stake if they report bad data.

The Attack Steps:

  1. The attacker first staked 10 TRB on the TellorFlex oracle, where they falsely quoted the price of WALBT tokens as 5000000 USD. He then and created a Trove transferred 0.1 WALBT tokens to the Trove.

2. The price was now extremely high as the BONq contract used the manipulated data from Oracle. As a result, the attacker borrowed $100M $BEUR tokens and used Uniswap to convert them into USDC.
He then created a second Trove of the WALBT asset and transferred 13.2 WALBT tokens to it.

3. In the subsequent transaction, the attacker staked 10 TRB from a different address on TellorFlex once more, but this time he reported the price of WALBT tokens at 0.0000001 USD.

4. Then he liquidated multiple troves of WALBT tokens at a low token price, which he just updated.

5. Following the completion of both transactions, the attacker was ultimately successful in stealing 113.8 million WALBT tokens and 98 million BEUR tokens.

How could they prevent this attack?

The incorrect integration of the Tellor Oracle system, which consumed instant price feeds of the tokens, was the issue here. Price feeds should be used after a sufficient period has passed.

After the Exploit:

Bonq Protocol announced that they have paused the protocol and are currently working on a solution. They also released a community update on Mirror regarding this incident.

Status of Funds:

BEUR tokens were exchanged for stablecoins ($534K) and bridged to Ethereum along with 113.8m WALBT. On February 3, the attacker started moving the funds out through Tornado Cash.

At the time of writing this blog, the attacker currently has $18 left in his wallet.

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

--

--

QuillAudits - Web3 Security 🛡️

Building the QuillAI Network: AI Agents Safeguarding Web3. Leading Smart Contract Audit Firm with $30B+ secured. Join our security squad builders 🛡️