-
Notifications
You must be signed in to change notification settings - Fork 69
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create 2023-02-02-BonqDAO-AllianceBlock.md (#185)
* Create 2023-02-02-BonqDAO-AllianceBlock.md * Update 2023-02-02-BonqDAO-AllianceBlock.md * Update 2023-02-02-BonqDAO-AllianceBlock.md * Update 2023-02-02-BonqDAO-AllianceBlock.md * Update 2023-02-02-BonqDAO-AllianceBlock.md * Update 2023-02-02-BonqDAO-AllianceBlock.md * some fixes * Update 2023-02-01-BonqDAO.md --------- Co-authored-by: JediFaust <[email protected]> Co-authored-by: Evgeny Dmitriev <[email protected]>
- Loading branch information
1 parent
3304c6b
commit 75cb5c1
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
date: 2023-02-01 | ||
target-entities: | ||
- BonqDAO | ||
entity-types: | ||
- DeFi | ||
- Lending Platform | ||
- Stablecoin | ||
attack-types: | ||
- Price Oracle Manipulation | ||
title: "BonqDAO Suffers a $120 Million Loss Through Price Oracle Manipulation" | ||
--- | ||
|
||
## Summary | ||
|
||
In February 2023, BonqDAO, a lending platform hosted on the Polygon network, was hacked. The attacker exploited protocol's price oracle weakness to manipulate the price of the $WALBT token. This allowed the attacker to borrow 100 million $BEUR, a stablecoin pegged to the euro, and liquidate other users' collateral. The total loss from the hack was estimated to be around $120 million. | ||
|
||
## Attackers | ||
|
||
The attackers are unidentified. | ||
|
||
**Attacker Addresses:** | ||
|
||
Polygon | ||
- [0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642](https://polygonscan.com/address/0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642) | ||
|
||
Ethereum | ||
- [0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642](https://etherscan.io/address/0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642) | ||
- [0x9210fa17ae138914fa04a161e694d73c9f3502c7](https://etherscan.io/address/0x9210fa17ae138914fa04a161e694d73c9f3502c7) | ||
|
||
**Malicious Contracts:** | ||
- [0xed596991ac5f1aa1858da66c67f7cfa76e54b5f1](https://polygonscan.com/address/0xed596991ac5f1aa1858da66c67f7cfa76e54b5f1#code) | ||
|
||
## Losses | ||
|
||
~$120 million | ||
|
||
- $108 million worth of 98,658,538 BEUR | ||
- $12 million worth of 113,813,998 WALBT | ||
|
||
## Timeline | ||
|
||
- **February 1, 2023, 06:29:18 PM UTC:** The attacker [stakes](https://polygonscan.com/tx/0x31957ecc43774d19f54d9968e95c69c882468b46860f921668f2c55fadd51b19) 10 TRB tokens with the TellorFlex. On the same day, the attacker [manipulates the $WALBT token value using the submitValue function](https://rekt.news/bonq-rekt/), uses the inflated token value to borrow 100M BEUR, and then deflates the $WALBT token value to liquidate other users' collateral. | ||
|
||
|
||
## Security Failure Causes | ||
|
||
- **Lack of TWAP Oracles:** BonqDAO allowed [instantaneous](https://www.halborn.com/blog/post/explained-the-bonqdao-hack-february-2023) price updates, which left the protocol susceptible to exploitation. In this instance, the attacker was able to manipulate the price oracle to change the value of the $WALBT token. | ||
- **Lack of Oracle Diversity:** Relying on a single source for price data left BonqDAO vulnerable to this kind of attack. Had the protocol used multiple price sources, the attacker's manipulation would have been much less likely to succeed. |