Self-sovereign financial services provider BonqDAO has been exploited through an oracle hack leading to the theft of $110 million in crypto from the protocol.
During the exploit, the attacker managed to manipulate the price of AllianceBlock wrapped tokens (wALBT) and made away with 100 million wALBT worth over $10 million.
An analysis by blockchain security firm PeckShield revealed that the exploiter changed the updatePrice function of the oracle in one of BonqDAO’s smart contracts. This enabled the manipulation of the price of the wALBT tokens.
With the increased wALBT price, the exploiter was able to mint over 100 million BEUR tokens worth more than $100 million. BEUR is the stablecoin of BonqDAO’s protocol.
In subsequent transactions, the exploiter swapped $500,000 worth of BEUR tokens for USDC on Uniswap and further manipulated the price of wALBT. This led to the liquidation of a bunch of 33 ALBT troves.
By the end of the exploit, the hacker walked away with 113.8 million wALBT and 98 million BEUR tokens. This caused the wALBT token value to plunge by 51%, while BEUR lost 34% of its value.
While announcing the attack, BonqDAO disclosed that other troves were unaffected. The protocol was paused, and its operators were actively working on a solution to enable users to withdraw their remaining collateral without replacing the BEUR in the troves.
AllianceBlock to Airdrop Affected Users
AllianceBlock, on the other hand, told its users that the incident was isolated to just the troves and affected none of its smart contracts. The decentralized infrastructure platform disclosed that ALBT trading in all exchanges had been halted, and it was in the process of removing liquidity.
“The AllianceBlock and Bonq Teams, including all connected partners, are now in the process of removing the liquidity and are halting all exchange trading. We have paused all activity on AllianceBlock Bridge in the meantime,” AllianceBlock said.
Meanwhile, AllianceBlock plans to take snapshots of users’ balances before the exploit, mint new ALBT tokens, and airdrop them to victims.