How Much Did BonqDAO Lose in Smart Contracts Hack?Hacker Exploited Incorrectly Deployed Price Oracle on DeFi Protocol to Steal Funds
Another day, another crypto hack: A hacker on Wednesday exploited a smart contract vulnerability on a decentralized platform to steal cryptocurrency.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
How much the hacker stole depends on whom you ask. Maybe it was $120 million. Or possibly just $1 million. One thing's for sure: Traditional bank robbers never had to grapple with this sort of question.
For now, the BonqDAO protocol has paused all transactions on its platform.
Here's what happened. A hacker found a flaw in software used to price the exchange rate of tokens - known as an oracle - the platform said in a Wednesday tweet. The flaw in the oracle allowed the hacker to manipulate the price of listed tokens and mint new ones.
Essentially, the hacker could "borrow huge amount of funds with very little collateral with an invalid higher price," security firm PeckShield tells Information Security Media Group.
PeckShield pegs BonqDAO losses to be $120 million and says the hacker stole $108 million worth of BEUR tokens and $11 million worth of wrapped ALBT tokens across multiple transactions.
But here's the catch: The amount of funds the hacker stole is not the amount of funds the hacker gets to keep.
The vulnerability resulted from lack of a check on the collateralization ratio. This allowed the attacker to "borrow" 100 million BEUR with less than $1,000 worth of collateral, CertiK tells ISMG. Due to limited liquidity on the platform, the hacker was able to only remove approximately $1 million following the attack, CertiK says.
The hacker, PeckShield says, could not swap out the stolen tokens for tokens of equivalent value. "If, say, 1,000 ALBT are currently worth $30, their value when the hacker swapped them out was only $10. Insufficient liquidity causes large slippage," a company spokesperson said. Slippage refers to the difference in price from the time an order is placed and when it is executed. The difference is caused by volatile crypto prices that can fluctuate often depending on trade volume and activity.
The hacker used cross-chains and swapping mechanisms to off-ramp a portion of the stolen funds, and simply dumped some of them, PeckShield says. At the time of writing, the attacker's wallet held about $5 million. The attacker had swapped and cross-chained the rest to other wallets and dumped $42,000 worth of tokens.
Decentralized infrastructure platform Alliance Block, which issues ALBT tokens, confirmed the theft. It said it would remove all liquidity from BonqDAO and halt exchange trading. The hacker did not exploit other smart contracts on Alliance Block, it said, adding that it would mint new ALBT tokens to compensate those that lost money in the hack.
Web3 security firm SlowMist shared a technical analysis of the attack:
SlowMist Security Alert— SlowMist (@SlowMist_Team) February 2, 2023
On February 2, the @BonqDAO on the Polygon chain was attacked, the total profit of the exploiter is 113M WALBT and 98.6M BEUR.
Here is a brief report:
In a Thursday update, the Bonq protocol confirmed the security companies' analysis. The hacker, it said, exploited its platform on Wednesday at 6:30 P.M. CET to mint 100Mio BEUR by manipulating the price feed of ALBT. Its improper implementation of the price feed contract, which reads the price of ALBT from the Tellor oracle, contained a bug, it said, clarifying that AllianceBlock was not involved in its implementation. "More than 98MIL BEUR are still on the attacker's account on Polygon with no liquidity to exit," it said.
Security firm CertiK says the incident highlights the importance of code review by expert auditors. "A single line of code in an otherwise sound protocol can - and all too often does - result in major losses for users that jeopardize the future of a project," the company told ISMG.
Update on Feb. 3, 4:40 A.M. UTC: The story was updated to include a fresh statement from Bonq protocol.