BonqDAO Suffers a $120 Million Loss Through Price Oracle Manipulation

February 1, 2023

Summary #

In February 2023, BonqDAO, a lending platform hosted on the Polygon network, was hacked. The attacker exploited protocol’s price oracle weakness to manipulate the price of the $WALBT token. This allowed the attacker to borrow 100 million $BEUR, a stablecoin pegged to the euro, and liquidate other users’ collateral. The total loss from the hack was estimated to be around $120 million.

Attackers #

The attackers are unidentified.

Attacker Addresses:

Polygon

0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642

Ethereum

Malicious Contracts:

0xed596991ac5f1aa1858da66c67f7cfa76e54b5f1

Losses #

~$120 million

- $108 million worth of 98,658,538 BEUR
- $12 million worth of 113,813,998 WALBT

Timeline #

February 1, 2023, 06:29:18 PM UTC: The attacker stakes 10 TRB tokens with the TellorFlex. On the same day, the attacker manipulates the $WALBT token value using the submitValue function, uses the inflated token value to borrow 100M BEUR, and then deflates the $WALBT token value to liquidate other users’ collateral.

Security Failure Causes #

Lack of TWAP Oracles: BonqDAO allowed instantaneous price updates, which left the protocol susceptible to exploitation. In this instance, the attacker was able to manipulate the price oracle to change the value of the $WALBT token.
Lack of Oracle Diversity: Relying on a single source for price data left BonqDAO vulnerable to this kind of attack. Had the protocol used multiple price sources, the attacker’s manipulation would have been much less likely to succeed.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam