Major Exploit Hits BonqDAO, Resulting in $120 Million Theft
A small decentralized autonomous organization (DAO) known as BonqDAO has fallen victim to a significant smart contract exploit, resulting in the theft of approximately $120 million from its platform. On February 1, the organization informed its Twitter followers that an oracle hack had compromised its Bonq protocol, allowing the attacker to manipulate the price of the AllianceBlock (ALBT) token. The manipulation led to the issuance of a large quantity of BEUR tokens, which were subsequently exchanged for other cryptocurrencies on the Uniswap platform. Following the exploit, the value of the ALBT token plummeted to nearly zero, prompting the liquidation of ALBT positions.
Details of the Attack
According to an independent assessment conducted by blockchain security firm PeckShield, the total loss resulting from the Bonq exploit is estimated at around $120 million. This figure includes $108 million originating from 98.65 million BEUR tokens and an additional $11 million from 113.8 million wrapped-ALBT (wALBT) tokens. The exploit was executed through a series of transactions, with the largest occurring at 6:32 PM UTC on February 1, amounting to $82.19 million, as reported by multichain portfolio tracker DeBank. The majority of these significant transactions took place on the Polygon network.
Exploitation Methodology
PeckShield elaborated on the mechanics of the exploit, revealing that the attacker was able to modify the updatePrice function of the oracle within one of BonqDAO’s smart contracts. This modification enabled the manipulation of the wALBT token’s price. The security firm illustrated the exploit with an example transaction, demonstrating the method used by the attacker to exploit the wALBT and BEUR tokens. The hacker proceeded to exchange approximately $500,000 worth of BEUR for USDC on Uniswap before incinerating all 113.8 million wALBT tokens to access the ALBT. An on-chain security analyst known as “Spreek,” who was among the first to identify the exploit, shared with his Twitter followers that the attacker subsequently liquidated additional BEUR and ALBT tokens for $500,000 in USDC and 144 ETH, equating to around $236,000. Others, including PeckShield, noted the rapid decline in the values of the BEUR and ALBT tokens following the exploit.
Response from BonqDAO and AllianceBlock
In a subsequent update, BonqDAO announced the suspension of its protocol and indicated that it is actively developing a recovery plan. The organization reassured its users that other troves remain unaffected by the exploit. BonqDAO stated, “We’re working on a solution that will allow users to withdraw all remaining collateral without the need to repay BEUR in the troves. This will be released tomorrow morning CET.” AllianceBlock, the issuer of the ALBT token, also communicated the situation to its 51,300 Twitter followers, confirming that an attacker gained access to 113.8 million ALBT tokens. The AllianceBlock team is in the process of removing all liquidity from Bonq and has halted all trading activities, clarifying that no smart contracts on their platform were compromised.
Future Developments
The announcement from AllianceBlock included plans to mint new ALBT tokens for those affected by the exploit up to the time of their disclosure. BonqDAO operates as a decentralized autonomous organization that seeks to provide interest-free financial services to individuals and businesses while allowing them to retain ownership of their assets. Meanwhile, AllianceBlock serves as a decentralized infrastructure platform that bridges traditional financial institutions with Web3 applications.
