According to the SlowMist Security Team, on February 2nd, 2023, the BonqDAO project on the Polygon chain was attacked. The attacker netted about 113 million WALBT and 98.65 million BEUR tokens. The SlowMist security team immediately intervened to analysis the incident and shared the results as follows:
BonqDAO is an unmanaged, decentralized lending platform that allows users to provide liquidity for agreements or earn income from excess collateral loans.
Here are the addresses involved in the attack:
The EOA address of the attacker:
Contract address of the Oracle attacked:
Core of the Attack
The source of the oracle used by the BonqDAO platform is the ratio of TellorFlex self-feed price to Chainlink price. A major limitation of TellorFlex price updates is that the price reporter needs to montgage 10 TRB tokens before reporting price updates. With the updateStakeAmount function, TellorFlex can periodically update the TRB amount required by the price reporter based on the price of the collateral. However, because the updateStakeAmount function is never called, the attacker can maliciously modify the token price at a very low cost.
1. The attacker first mortgaged 10 TRB to become a price reporter, and then modified the price of WALBT tokens in the oracle by calling the submitValue function.
2. The attacker modified the price and called the createTrove function of the Bonq contract to create the trove (0x4248FD) for the attack contract. The functions of the trove contract are mainly to record the user’s collateral status, liability status, borrowing from the market, liquidation, and so on.
3. The attacker then carried out the mortgage operation in the protocol and called the borrow function to take out a loan. The price of WALBT tokens was inflated by the modification, resulting in the protocol minting a large number of BEUR tokens for the attacker.
4. In another attack transaction, the attacker modified the price of WALBT in the same way as above and then liquidated other users with debts in the market to net out a large number of WALBT tokens.
5. According to MistTrack analysis of Slow Mist, 113 million WALBT has been burned on the Polygon chain, and ALBT has been withdrawn from the ETH chain. The latter part of ALBT has been converted into ETH through 0x. After some of the BEUR has been converted to USDC via Uniswap, the attacker crossed the chain to the ETH chain via Multichain and exchanged them for DAI. Up to now, the hacker’s ETH address still has nearly $5.65 million in assets, including ALBT, ETH, and DAI currencies. MistTrack will continue to monitor hacker movements and follow up on the shielding.
The attack was caused by the fact that the cost of collateral needed to modify the oracle’s price was much lower than the profit gained from the attack, causing the attacker to maliciously submit false prices to manipulate the market and liquidate other users. The SlowMist Security Team suggests that when the protocol uses the feed price source, it should investigate and study the various functional mechanisms of the oracle and consider their compatibility and security with the project.
It’s worth noting that Liquity received feedback about the same bug a few months ago. Liquity uses Tellor as the backup oracle. When the main oracle (Chainlink) fails or is frozen, Liquity will switch to the price data of the backup oracle Tellor as the feeding price. For details, please refer to the following link:
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.