The decentralized autonomous organization was subjected to a significant smart contract hack, which resulted in a loss of $120 million.
Smart Contracts Manipulated
On Feb 1st, the DAO disclosed on Twitter that it had been subjected to an oracle hack. Furthermore, it revealed that the exploiter was able to manipulate the price of its AllianceBlock token (ALBT), that led to a mass liquidation resulting in losses worth millions of dollars.
AllianceBlock also updated the community on Twitter,
“There has been a recent incident involving several ALBT Troves on Bonq, with the attacker gaining access to around 110M ALBT. The incident is isolated to these Troves. None of our smart contracts was breached or compromised.”
The attack took place across multiple transactions. However multichain portfolio tracker DeBank studied the transaction histories and pointed out that the most funds drained in one go was $82.19 million, which happened at 6:32 pm UTC on February 1. Another interesting point to note is that most of the high scale transactions took place on the Polygon network.
In a follow up tweet, BonqDAO announced that they are working on solution that will allow users to withdraw remaining collateral without repaying BEUR, claiming that the Bonq protocol has been paused.
PeckShield Breaks It Down
The blockchain security firm PeckShield conducted an independent analysis of the situation and estimated that the loss from the oracle hack amounted to around $120 million, with $108 million being stolen via the 98.65 BEUR tokens and the remaining $11 million being stolen from the 113.8 million wrapped-ALBT (wALBT) tokens.
PeckShield also tweet out a break down of what exactly the hacker did to steal the funds. The price manipulation was conducted when the exploiter changed the updatePrice function of the oracle in one of BonqDAO’s smart contracts. As a result, they were able to manipulate and increase the price of wALBT and mint over $100 million. The hacker followed it up with another transaction in which they further manipulated the wALBT price and liquidated a bunch of troves. Finally, the hacker withdrew the illicit gains and walked away with around $120 million worth of wALBT and BEUR tokens. They then swapped about $500,000 worth of BEUR on Uniswap and burned all 113.8 million wALBT to unlock ALBT, resulting in significant price drops. BEUR dropped by 34%, while wALBT dropped by over 50%.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Source: https://cryptodaily.co.uk/2023/02/bonqdao-protocol-loses-120m-after-oracle-hack