BonqDAO is a self-sovereign financial services provider that offers a lending platform to other projects. The platform allows users to lock up custom project tokens and mint BEUR, a coin pegged to the Euro. The recent hack highlights the importance of smart contract security in the DeFi space.
In this recent hack, or BonqDAO suffered a security breach with $120 million in crypto stolen. The attacker exploited a vulnerability in a smart contract to manipulate the wALBT token price. The incident highlights the importance of smart contract security and monitoring as well as security by design.
Smart Contract Hack Overview:
In the BonqDAO platform, users can lock up custom project tokens in a Bonq smart contract (trove) and mint BEUR, a coin pegged to the Euro. The oracle contract vulnerability allowed the attacker to manipulate the smart contracts and issue the $120 million in tokens to his designated address.
The attacker changed the "updatePrice" function of the oracle in the Bonq smart contract by manually updating the Tellor price feed of WALBT collateral after staking only 10 TRB tokens (worth ~$175). The attacker set the price of WALBT to an extremely high value , which allowed him to borrow funds with almost no collateral in the same transaction after updating the price. The attacker then minted assets from Bonq with almost zero collateral and exchanged them for other assets.
An independent analysis from blockchain security firm PeckShield estimated the loss from the Bonq hack to be around $120 million, with $108 million from 98.65 million BEUR tokens and $11 million from 113.8 million WALBT tokens. However, after the attack, it became clear that the actual losses were around $4 million, as the hacker only managed to swap assets to that valuation.
The lesson learned from the Bonq hack is to never rely on a single source of truth for price data and always use multiple price sources in your smart contracts.
Cyvers' CEO, Deddy Lavid also emphasized this point, saying;
"The BonqDAO hack is a wake-up call for the DeFi industry to prioritize security in the design and deployment of smart contracts.
The attack highlights the need for multiple sources of truth for price data and emphasizes the importance of thorough testing and auditing in the DeFi space."
Investors in Bonq have lost trust in the token ($BNQ) and started selling after hearing the news of the security breach. The damage to BonqDAO was also dramatic, with TVL drained from around $13M to just over $100k.
The Bonq hack serves as a reminder of the importance of security in the DeFi space and the need for smart contracts to be rigorously tested and audited before deployment. It also emphasizes the importance of never relying on a single source of truth for price data.
The 2023 Web3 Security report shows us that oracle exploits only accounted for around 3% of the total hacks in 2022, but smart contract exploits were 50%. The BonqDAO hack would be characterised as both a smart contract vulnerability and an oracle exploit, further showing us that smart contracts remain a key reason for exploits in Web3 protocols.
Read more about Web3 hack statistics and common security practices in our recent Web3 report.