Decentralized Finance (DeFi) protocol BonqDAO has paused activities on its platform after announcing it has been hacked. According to the platform, it is working around the clock to ensure remaining users' funds are protected.
Describing the ordeal, BonqDAO shared in a tweet:
Bonq protocol was exposed to an oracle hack, where the exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.
The exploit was later confirmed by Certik, who pegged the amount lost to around $100 million. The security services provider explained that the exploiter borrowed $100 million of EUR stablecoin from Bonq Protocol with less than $1,000 worth of collateral. This, Certiq noted, was made possible with the "setting of an incorrect variable."
1/ BonqDAO exploiter borrowed $100M of EUR stablecoin from Bonq Protocol with less than $1,000 worth of collateral.— CertiK Alert (@CertiKAlert) February 2, 2023
This is due to an incorrect setting of a variable.
Note that Bonq EUR liquidity is rather low at less than 1 million.
With BonqDAO lacking as much liquidity to process the more than $100 million of borrowed funds, the attacker swapped the BEURs for stablecoins worth $534,000 and bridged this along with $113.8 million WALBT to Ethereum. The sophistication in the exploit showed evidence that the attack was a well-organized one.
Highlighting DeFi vulnerability
One of the core arguments for DeFi's evolution entails the higher yield it offers investors when compared to traditional financial institutions. While this benefit is prominently highlighted, the challenge of security breaches has become a very deep concern for players in the space.
The industry has yet to recover from the hacks recorded in 2022, of which the $610 million Ronin Bridge was one of the top 10. Signs of exploit activity have started showing themselves this year. The hacked funds from Harmony Bridge were reportedly on the move earlier this year as regulators dipped their toes to investigate the vulnerabilities that led to the Ankr protocol exploit.
Thus far this year, this BonqDAO stands out as the largest.