{"id":546614,"date":"2023-02-02T03:33:05","date_gmt":"2023-02-02T00:33:05","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/bonqdao-protocol-suffers-120m-loss-after-oracle-hack\/"},"modified":"2023-02-02T03:33:05","modified_gmt":"2023-02-02T00:33:05","slug":"bonqdao-protocol-suffers-120m-loss-after-oracle-hack","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/bonqdao-protocol-suffers-120m-loss-after-oracle-hack\/","title":{"rendered":"# BonqDAO protocol suffers $120M loss after oracle hack"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2624d1f4074\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2624d1f4074\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/bonqdao-protocol-suffers-120m-loss-after-oracle-hack\/#%E2%80%9D_BonqDAO_protocol_suffers_120M_loss_after_oracle_hack_%E2%80%9C\" >&#8221; BonqDAO protocol suffers $120M loss after oracle hack &#8220;<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/bonqdao-protocol-suffers-120m-loss-after-oracle-hack\/#How_it_happened\" >How it happened<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_BonqDAO_protocol_suffers_120M_loss_after_oracle_hack_%E2%80%9C\"><\/span>&#8221; BonqDAO protocol suffers $120M loss after oracle hack &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjMtMDIvM2ZiYWI2MTUtMzU1MS00M2FjLWFhZTItODM4YjE4ZGI0Yzg0LmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-5a4050f8>A small-scale decentralized autonomous organization (DAO) has suffered a rather sizeable smart contract exploit leading to an estimated $120 million being stolen from its protocol.<\/p>\n<p>BonqDAO, which is behind the Bonq protocol, told its <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> followers on Feb. 1 that its protocol was exposed to an oracle hack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then sw<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ed for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.<\/p>\n<p>\u2014 BonqDAO (@BonqDAO) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/BonqDAO\/status\/1620908233761378304?ref_src=twsrc%5Etfw\">February 1, 2023<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>An independent <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/peckshield\/status\/1620926816868499458\">analysis<\/a> from blockchain security firm PeckShield has estimated the loss from the Bonq hack to be around $120 million, comprising $108 million from 98.65 million BEUR tokens, and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens.<\/p>\n<p>While the exploit took effect over several transactions, the largest was $82.19 million at 6:32pm UTC time on Feb. 1, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/debank.com\/profile\/0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642\">according<\/a> to multi-chain portfolio tracker DeBank.<\/p>\n<p>Most of the high-scale transactions took place on the Polygon network.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_it_happened\"><\/span>How it happened<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>PeckShield explained that the exploiter was able to change the updatePrice function of the oracle in one of BonqDAO\u2019s smart contracts which meant that they were able to manipulate the price of the wALBT token.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/BonqDAO?ref_src=twsrc%5Etfw\">@BonqDAO<\/a> is exploited and its price oracle is manipulated to increase the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/WALBT?src=hash&amp;ref_src=twsrc%5Etfw\">#WALBT<\/a> price. Here is the example hack tx: <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/YPxXMr2nkf\">https:\/\/t.co\/YPxXMr2nkf<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/XrzExHY6m1\">pic.twitter.com\/XrzExHY6m1<\/a><\/p>\n<p>\u2014 PeckShield Inc. (@peckshield) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/peckshield\/status\/1620917292514299904?ref_src=twsrc%5Etfw\">February 1, 2023<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This triggered the exploitation of the wALBT and BEUR. The hacker then swapped about\u00a0$500,000 worth of BEUR for USDC on Uniswap before burning all 113.8 million wALBT to unlock ALBT.<\/p>\n<p>On-chain security observer \u201cSpreek\u201d \u2014 who was one of the first to spot the exploit \u2014 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/spreekaway\/status\/1620864016741732353\">stated<\/a> to his 18,800 Twitter followers that the exploiter later dumped more BEUR and ALBT tokens for some USDC ($500,000) and 144 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/spreekaway\/status\/1620866471588143104\">ETH<\/a> (236,000).<\/p>\n<p>PeckShield and others noted that the price of the BEUR and ALBT tokens went down considerably in a short period of time:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The actor then walks away by withdrawing the illicit gains with 113.8M <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/WALBT?src=hash&amp;ref_src=twsrc%5Etfw\">#WALBT<\/a> and 98M <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/BEUR?src=hash&amp;ref_src=twsrc%5Etfw\">#BEUR<\/a> (valued &gt;$10M). Some of these tokens are then dumped, resulting in major drop! <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/WALBT?src=hash&amp;ref_src=twsrc%5Etfw\">#WALBT<\/a> dropped by &gt;50% and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/hashtag\/BEUR?src=hash&amp;ref_src=twsrc%5Etfw\">#BEUR<\/a> dropped by 34% <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/HEYxrcaB5Y\">pic.twitter.com\/HEYxrcaB5Y<\/a><\/p>\n<p>\u2014 PeckShield Inc. (@peckshield) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/peckshield\/status\/1620922966208049153?ref_src=twsrc%5Etfw\">February 1, 2023<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In a follow up tweet, BonqDAO said it has paused the protocol and is working on a recovery solution. <\/p>\n<p>\u201cOther troves remain unaffected. Bonq protocol has been paused. We\u2019re working on a solution that will allow users to withdraw all remaining collateral without repaying BEUR in the troves. It will be released tomorrow morning CET,\u201d it said.<\/p>\n<p>AllianceBlock \u2014 the token issuers of ALBT \u2014 also shared the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a> on Feb. 1, explaining to its 51,300 Twitter followers that an exploiter managed to gain access to 113.8 million ALBT tokens.<\/p>\n<p>The team is in the process of removing all liquidity on Bonq and has halted exchange trading, it said, adding that no smart contracts were exploited on AllianceBlock.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">ANNOUNCEMENT<\/p>\n<p>There has been a recent incident involving several ALBT Troves on Bonq, with the attacker gaining access to around 110M ALBT.<\/p>\n<p>The incident is isolated to these Troves. None of our smart contracts was breached or compromised. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/puntkIPK3G\">pic.twitter.com\/puntkIPK3G<\/a><\/p>\n<p>\u2014 AllianceBlock (@allianceblock) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/allianceblock\/status\/1620887759656460289?ref_src=twsrc%5Etfw\">February 1, 2023<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The announcement from AllianceBlock also added that they would mint new ALBT tokens to those impacted by the exploit up until the time of the announcement.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>Tribe DAO votes in favor of repaying victims of $80M Rari hack<\/em><\/strong><\/p>\n<p>BonqDAO is a decentralized autonomous organization (DAO) which aims to provide self-soverign financial services to individuals and businesses interest-free without giving up ownership of their assets.<\/p>\n<p>AllianceBlock is a decentralized infrastructure platform that connects traditional financial institutions to Web3 applications.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more News articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/bonqdao-protocol-suffers-120m-loss-after-oracle-hack\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; BonqDAO protocol suffers $120M loss after oracle hack &#8220; A small-scale decentralized autonomous organization (DAO) has suffered a rather sizeable smart contract exploit leading to an estimated $120 million being stolen from its protocol. BonqDAO, which is behind the Bonq protocol, told its Twitter followers on Feb. 1 that its protocol was exposed to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":546615,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2023-02\/3fbab615-3551-43ac-aae2-838b18db4c84.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74867,74894,75186,74882,77595,75434,74892,117,70944],"class_list":["post-546614","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-altcoin","tag-blockchain","tag-dao","tag-hacks","tag-lending","tag-smart-contracts","tag-tokens","tag-business","tag-hackers"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/546614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=546614"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/546614\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/546615"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=546614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=546614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=546614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}