SlowMist Release A Brief Analysis Of The Attack On BonqDAO Protocol
The attackers amassed a substantial amount of WALBT and BEUR tokens (113 million WALBT, 98.65 million BEUR). So far, 946,000 ALBT have been converted into 695 ETH, while 558,000 BEUR have been converted into 534,000 DAI. Hackers continue to convert ALBT to ETH, but no funds have been discovered to be transmitted to exchanges or other platforms.
6/ According to @MistTrack_io analysis, 113 million WALBT have been burned on Polygon and withdrawn ALBT from ETH. Part of ALBT was exchanged for $ETH via 0x. Part of BEUR has been exchanged to $USDC via Uniswap and then exchanged to $DAI via Multichain cross-chain to Ethereum. pic.twitter.com/Wydh0w9Mb1
— SlowMist (@SlowMist_Team) February 2, 2023
Firstly, the BonqDAO platform’s oracle source is the TellorFlex self-feed price to Chainlink price ratio. One of TellorFlex’s key limitations is that price reporters must mortgage 10 TRB before reporting price updates. The updateStakeAmount function in TellorFlex can be used to periodically update the amount of TRB that the price reporter needs to mortgage based on the price of the collateral.
Secondly, because the TRB mortgage amount of the TellorFlex oracle contract was initially set to 10 and was not modified via the updateStakeAmount function, the attacker only has to mortgage 10 TRB to become a price reporter and change the price of WALBT tokens in the oracle by using the submitValue function.
Then, the attacker changed the price and used the Bonq contract’s createTrove method to make a trove for the attack contract. The trove contract’s primary job is to record the user’s collateral status, debt status, market borrowing, liquidation, and so on.
After which, the price of WALBT tokens was adjusted and raised immediately after the attacker completed a mortgage operation in the protocol and then called the borrow function to borrow, causing the protocol to mint a large quantity of BEUR tokens for the attacker.
In another assault transaction, the attacker employed the same strategy to change the price of WALBT and subsequently liquidated other market users with liabilities to gain a significant number of WALBT tokens.
According to SlowMist MistTrack analysis, 113 million WALBT have been burned on the Polygon chain and ALBT have been withdrawn from the ETH chain, with some of the ALBT being converted to ETH via 0x.
Some BEUR have been converted to USDC by the attacker via Uniswap and then cross-chained to the ETH chain and converted to DAI.
Coincu previously reported the BonqDAO encryption protocol and AllianceBlock suffered a loss of $88 million in an attack due to a vulnerability in the BonqDAO smart contract.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
