Rob Behnke
February 7th, 2023
In February 2023, BonqDAO, a lending and stablecoin platform hosted on Polygon, was the victim of an attack. Via price oracle manipulation, the attacker was able to cause approximately $120 million in losses to the protocol.
The BonqDAO hack began with the attacker staking 10 TRB tokens with the TellorFlex. This is the minimum possible stake permitted to request an update to the value of a token. This deposit is followed up by a call to the contract’s submitValue function requesting that the value of the $WALBT token be updated, massively increasing its value. Since the attacker had a valid stake, the update request was approved.
BonqDAO uses instantaneous price updates, so the attacker was able to immediately use the inflated token value. The attacker then opened a trove and deposited 0.1 $WALBT into it. With the massively inflated value of $WALBT, the attacker was able to take out a loan for 100M BEUR.
Since the attacker controlled the $WABLT price, they could decrease it as well as increase it. After using the inflated price to take out a loan, the attacker deflated the price to a low value, allowing them to liquidate other users’ collateral. The attacker netted about 114 $WALBT via these liquidations.
The BonqDAO hack demonstrates the risks of allowing instant updates to token prices based on user-provided data. If the price updates were not instantaneous, then malicious updates could be reversed before any damage was done. Conversely, instantaneous updates based on legitimate price data would also be acceptable. It’s the combination of the two that made the application vulnerable.
When designing DeFi projects, it’s vital to consider the potential methods by which legitimate functionality could be abused. For more information on securing your DeFi projects, reach out to our Web3 security experts at halborn@protonmail.com.