Dear Bonq Community and Partners,
The Bonq protocol was exploited on February 1st, 2023 around 6:30 pm CET. An unknown attacker was able to mint 100Mio BEUR by manipulating the price feed of ALBT. They were able to do so because the implementation of the price feed contract which reads the price of ALBT from the Tellor Oracle contained a bug.
BonqDAO is responsible for the implementation of the price feed. AllianceBlock was not involved and/or responsible for implementing the price feed into the Bonq protocol.
The hacker used part of the 100Mio BEUR in 3 ways:
They staked a large portion in the StabilityPool before setting the price very low, causing all of the WALBT troves to be liquidated
They swapped BEUR for USDC, DAI, WALBT, WETH and WMATIC in the UniswapV3 liquidity pools to get all the liquidity that was provided
They triggered redemptions, allowing them to partially drain the collateral which was backing the BEUR debts in the troves
Currently, more than 98MIL BEUR are still on the attacker’s account on Polygon with no liquidity to exit.
We are assessing the damages and working through the next steps for BonqDAO. We will explore every option that is available before arriving at the conclusion of what’s the best path forward.