(2023)

BonqDAO

1000 BTC
image-right

Year

2023

Network

Ethereum, Arbitrum, BNB Chain

Country

Singapore

Founder

Incident Name

BonqDAO Stablecoin Hack

Effect

Financial Impact: Approximately $6.38 million worth of cryptocurrency at the time (spread across Ethereum, Arbitrum, and BNB Chain). Disruptions to Services: BonqDAO temporarily halted all platform operations. Data Breach: No confirmation of a data breach has been publicly reported.

Outcome

Immediate: BonqDAO halted operations, launched an investigation, patched the vulnerability, and offered a bug bounty for information on the attacker. Long-Term: The project's reputation was tarnished, and user trust eroded. BonqDAO resumed operations, but the long-term impact on adoption remains unclear. There is no public information on user compensation.

Type

Smart Contract Exploit

Money Impact

Original Loss (February 2023): $6.38 million

Causes

The exploit leveraged a vulnerability in the "burnFrom" function within the BonqDAO DEI stablecoin smart contract. This function allows users to burn (remove from circulation) their DEI tokens. An error in the code related to handling allowances enabled attackers to manipulate the system. They could essentially burn a large amount of DEI tokens without actually owning them, allowing them to mint an equivalent amount of new DEI and drain funds from the protocol's reserves.

Affected user/account

Recovery Efforts

BonqDAO patched the vulnerability, resumed operations, and is likely continuing its investigation into the hack.

Regulatory Response

Market Impact

Original Loss (February 2023): $6.38 million

Technological Details

The exploit involved manipulating the "burnFrom" function within the DEI stablecoin smart contract due to a logic error in handling allowances. This allowed attackers to burn non-existent DEI tokens and mint new ones in return.

Investigation Details

Insurance Coverage

Public Relations Response

Lesson Learned

This incident underscores the critical need for thorough smart contract audits and secure coding practices within DeFi protocols. Transparency in communication is crucial during a hack to rebuild user trust. DeFi projects should carefully assess potential vulnerabilities within their smart contracts, particularly regarding core functionalities like burning tokens.

Ownership Transfer TX

Incident Review

This report analyzes the BonqDAO hack, a significant DeFi (Decentralized Finance) exploit that occurred in February 2023. BonqDAO was a rising player in the DeFi space, offering users a lending and stablecoin platform centered around their BEUR stablecoin.

Background and Incident Details:

Prior to the hack, details about BonqDAO's specific security measures were not widely available. However, the incident exposed a critical vulnerability within the BEUR stablecoin smart contract.

Attackers exploited a flaw in the price oracle functionality. Price oracles are external feeds that provide smart contracts with real-time market data. In BonqDAO's case, the oracle supplied the value of the AllianceBlock token (ALBT), which was used to determine how much BEUR could be minted or borrowed.

The attackers manipulated the price feed by staking the minimum required amount of ALBT tokens. This allowed them to submit a drastically inflated price for ALBT. The smart contract, lacking proper validation mechanisms, accepted this manipulated price. As a result, the attackers could mint a large amount of BEUR for a fraction of its actual value, essentially draining funds from the protocol's reserves.

Impact Analysis:

Financial Impact: The hack resulted in the theft of approximately $6.38 million worth of cryptocurrency at the time, spread across Ethereum, Arbitrum, and BNB Chain where BonqDAO operated.

Operational Impact: BonqDAO temporarily halted all operations on their platform to address the vulnerability.

Market Impact: The incident likely contributed to negative sentiment within the broader DeFi and stablecoin ecosystem, raising concerns about the security of these instruments.

Response and Resolution:

BonqDAO: They promptly halted operations, launched an investigation, patched the vulnerability in the BEUR contract, and offered a bug bounty for information leading to the attacker. There is no public information on whether affected users were reimbursed.

Community: Cybersecurity experts analyzed the exploit and emphasized the importance of thorough smart contract audits.

Security and Compliance:

The BonqDAO hack exposed the limitations of pre-attack security measures. The exploit leveraged a flaw in the price oracle integration, highlighting the need for robust validation within smart contracts relying on external data feeds.

Regulations within DeFi are still evolving. While they likely didn't influence the immediate response, this incident reinforces the importance of stricter code auditing standards and secure oracle integration practices within the space.

Broader Implications for the Cryptocurrency Community:

The BonqDAO hack served as a reminder of the potential vulnerabilities within DeFi protocols, particularly regarding smart contract security and reliance on external data oracles. It emphasized the need for:

Thorough Smart Contract Audits: DeFi projects should prioritize code reviews by reputable security firms to identify and address potential weaknesses, including proper validation of oracle data.

Secure Oracle Integration: DeFi protocols using oracles should implement robust security measures to prevent manipulation of external data feeds.

Transparency and Communication: Clear communication during and after a security incident is crucial to rebuild user trust.

Conclusion:

The BonqDAO hack underscored the importance of robust security measures within DeFi protocols, particularly regarding smart contract development, oracle integration, and code auditing. By learning from this incident, the DeFi community can work towards building a more secure and trustworthy ecosystem for users.

Additional Insights:

Including insights from cybersecurity experts would be valuable. They could offer analysis of the specific exploit leveraged in the price oracle, the potential for similar vulnerabilities in other DeFi projects, and the evolving threat landscape within the DeFi space. Reports from industry analysts could provide details on the broader market impact and potential changes in DeFi project development practices regarding oracle integration and security audits.

Links

https://hacken.io/insights/bonqdao-hack/ https://www.immunebytes.com/ (Security firm analysis)

UEEx makes trading easier

Join the official Telegram Channel

©2024, UEEx All Rights Reserved FINTRAC Registered