On Feb 1st, 2023 at around 6:30 pm UTC, an unknown attacker was able to mint 100 million BEUR in tx 0x31957ecc43774d19f54d9968e95c69c882468b46860f921668f2c55fadd51b19 by manipulating the price of ALBT in Bonq troves. They were able to do so because of a bug in the TellorPriceFeed contract deployed by BonqDAO which reads the price of WALBT from the Tellor oracle.
The bug in question was due to the fact that the
PriceFeed uses the function
getCurrentValue instead of
getDataBefore which would have prevented this from happening.
should have been
return uint256(bytes32(getDataBefore(queryId, block.timestamp - 20 minutes)));
getCurrentValue function allowed the attacker to set the price and use it in the same transaction. Had the price feed used the
getDataBefore, the attacker would have had to change the price for 20 minutes.
The main attack was performed in a single transaction:
Set the price of ALBT to 4.5 billion USD per ALBT
Create a trove with 0.1 WALBT
Mint 100Mio BEUR
Create a trove with a lot of collateral
Use the BEUR to purchase ALBT from the Uniswap pool
Create a second trove with 13 WALBT and no debt
Set the price of WALBT to almost zero, causing all the troves to be liquidated
Because the price was very low, the troves were liquidated to the community liquidation pool (and not the Bonq Stability Pool), so the debt and the collateral from ALBT troves were sent to troves with a higher collateral ratio
As the attacker had a trove without debt, their trove was left standing and they received all ALBT from liquidations and were able to withdraw it
Additionally, the attacker used the remaining BEUR to drain liquidity from 5 Uniswap Pools: BEUR/WALBT, BEUR/DAI, BEUR/USDC, BEUR/WETH and BEUR/WMATIC, where they bought WALBT, DAI, USDC, WETH and WMATIC tokens using their BEUR.
BonqDAO was notified about the attack by the Hypernative team immediately after it happened. They also notified Chainalysis and others to help them tag the attacker addresses as malicious and limit outflows from exchanges.
Our CTO, Micha Roon, was notified immediately as well. He informed BonqDAO that only the WALBT troves were affected and that he stopped the Bonq protocol, and specifically trove redemptions, to mitigate further losses. Unfortunately, this did not happen. The redemptions were not stopped and the attacker (or opportunistic third parties) used BEUR to redeem collateral from the remaining troves.
32 WALBT troves were liquidated, containing in total 114,672,328.11 WALBT tokens.
The attacker drained liquidity from 5 Uniswap V3 pools - BEUR/USDC (277,039.22 USDC), BEUR/DAI (259,982.77 DAI), BEUR/WETH (0.84 WETH), BEUR/WALBT (250,318.42 ALBT) and BEUR/WMATIC (1,197.75 WMATIC).
Redemptions occurred across 33 troves that contained USDC (56,798.98 tokens), DAI (36,365.95 tokens), WETH (12.694 tokens) & WMATIC (298.22 tokens) collateral.
The total USD losses caused by the attack are estimated at $1.85 million.
The remaining balance of BEUR in the attacker account has zero value, as there’s no more liquidity to trade it.
BonqDAO got in touch with companies specializing in forensic investigation and token recovery.
On February 4th, BonqDAO CTO Micha Roon resigned.
On February 5th, BonqDAO withdrew all liquidity from the BNQ/BEUR Uniswap pool and all BNQ rewards from the Bonq Stability Pool. This decision was made to prevent the attacker from having any BNQ tokens, either by swapping them for their BEUR or by earning them by providing BEUR into the Stability Pool.
BNQ tokens were not directly affected by the attack and will be used in the BonqDAO governance process in the immediate future, so it was important to prevent malicious actors from holding any BNQ.
Currently, the BonqDAO team is compiling a list of all affected wallets and is working on a BNQ airdrop schedule to compensate all affected wallets. This includes affected Bonq troves, liquidity providers, and BNQ holders in general.
In the following days, BonqDAO is going to:
Publish the BNQ airdrop plan
Distribute the BNQ to the affected wallets.
Present a recovery strategy for BonqDAO to the BonqDAO community.
Organize a series of votes, where all BNQ holders will be able to approve or reject several key decisions related to the future of BonqDAO, including the current executive DAO members and the recovery strategy.