BonqDAO report of the attack on the Bonq protocol on February 1, 2023

The description of the attack

On Feb 1st, 2023 at around 6:30 pm UTC, an unknown attacker was able to mint 100 million BEUR in tx 0x31957ecc43774d19f54d9968e95c69c882468b46860f921668f2c55fadd51b19 by manipulating the price of ALBT in Bonq troves. They were able to do so because of a bug in the TellorPriceFeed contract deployed by BonqDAO which reads the price of WALBT from the Tellor oracle.

The bug in question was due to the fact that the PriceFeed uses the function getCurrentValue instead of getDataBefore which would have prevented this from happening.

The line

return uint256(bytes32(oracle.getCurrentValue(queryId)));

should have been

return uint256(bytes32(getDataBefore(queryId, block.timestamp - 20 minutes)));

Using the getCurrentValue function allowed the attacker to set the price and use it in the same transaction. Had the price feed used the getDataBefore, the attacker would have had to change the price for 20 minutes.

The main attack was performed in a single transaction:

  • Mint BEUR

    • Set the price of ALBT to 4.5 billion USD per ALBT

    • Create a trove with 0.1 WALBT

    • Mint 100Mio BEUR

  • Create a trove with a lot of collateral

    • Use the BEUR to purchase ALBT from the Uniswap pool

    • Create a second trove with 13 WALBT and no debt

  • Set the price of WALBT to almost zero, causing all the troves to be liquidated

    • Because the price was very low, the troves were liquidated to the community liquidation pool (and not the Bonq Stability Pool), so the debt and the collateral from ALBT troves were sent to troves with a higher collateral ratio

    • As the attacker had a trove without debt, their trove was left standing and they received all ALBT from liquidations and were able to withdraw it

Additionally, the attacker used the remaining BEUR to drain liquidity from 5 Uniswap Pools: BEUR/WALBT, BEUR/DAI, BEUR/USDC, BEUR/WETH and BEUR/WMATIC, where they bought WALBT, DAI, USDC, WETH and WMATIC tokens using their BEUR.

BonqDAO was notified about the attack by the Hypernative team immediately after it happened. They also notified Chainalysis and others to help them tag the attacker addresses as malicious and limit outflows from exchanges.

Our CTO, Micha Roon, was notified immediately as well. He informed BonqDAO that only the WALBT troves were affected and that he stopped the Bonq protocol, and specifically trove redemptions, to mitigate further losses. Unfortunately, this did not happen. The redemptions were not stopped and the attacker (or opportunistic third parties) used BEUR to redeem collateral from the remaining troves.

The impact of the attack

32 WALBT troves were liquidated, containing in total 114,672,328.11 WALBT tokens.

The attacker drained liquidity from 5 Uniswap V3 pools - BEUR/USDC (277,039.22 USDC), BEUR/DAI (259,982.77 DAI), BEUR/WETH (0.84 WETH), BEUR/WALBT (250,318.42 ALBT) and BEUR/WMATIC (1,197.75 WMATIC).

Redemptions occurred across 33 troves that contained USDC (56,798.98 tokens), DAI (36,365.95 tokens), WETH (12.694 tokens) & WMATIC (298.22 tokens) collateral.

The total USD losses caused by the attack are estimated at $1.85 million.

Trove Liquidations

(*)The total number of WALBT sold by the attacker is a BonqDAO estimate based on information from 3rd parties specializing in token recovery.
(*)The total number of WALBT sold by the attacker is a BonqDAO estimate based on information from 3rd parties specializing in token recovery.

Uniswap Liquidity

Redemptions

The remaining balance of BEUR in the attacker account has zero value, as there’s no more liquidity to trade it.

What happened after the attack

BonqDAO got in touch with companies specializing in forensic investigation and token recovery.

On February 4th, BonqDAO CTO Micha Roon resigned.

On February 5th, BonqDAO withdrew all liquidity from the BNQ/BEUR Uniswap pool and all BNQ rewards from the Bonq Stability Pool. This decision was made to prevent the attacker from having any BNQ tokens, either by swapping them for their BEUR or by earning them by providing BEUR into the Stability Pool.

BNQ tokens were not directly affected by the attack and will be used in the BonqDAO governance process in the immediate future, so it was important to prevent malicious actors from holding any BNQ.

Currently, the BonqDAO team is compiling a list of all affected wallets and is working on a BNQ airdrop schedule to compensate all affected wallets. This includes affected Bonq troves, liquidity providers, and BNQ holders in general.

Next steps for BonqDAO

In the following days, BonqDAO is going to:

  1. Publish the BNQ airdrop plan

  2. Distribute the BNQ to the affected wallets.

  3. Present a recovery strategy for BonqDAO to the BonqDAO community.

  4. Organize a series of votes, where all BNQ holders will be able to approve or reject several key decisions related to the future of BonqDAO, including the current executive DAO members and the recovery strategy.

Subscribe to Bonq DAO
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.