3 min read

How was BonqDAO Protocol Exploited

How was BonqDAO protocol hacked by an exploiter due to price manipulation, and oracle hack?

Bonq DAO protocol exploited


On February 1, 2023, the BonqDAO protocol was exploited due to price manipulation of AllianceBlock tokens, caused as a result of an Oracle hack, with the estimated losses totaling roughly $120 million.

Introduction to BonqDAO Protocol#

BonqDAO aims to provide interest-free self-sovereign financial services to individuals and businesses while maintaining ownership of their assets.

AllianceBlock is a platform for decentralized infrastructure that connects traditional financial institutions to Web3 applications.

Vulnerability Assessment#

The root cause of the vulnerability is due to an oracle hack which allowed the exploiter to manipulate the price of AllianceBlock's $ALBT token.


Step 1:

BonqDAO announced on Twitter that the protocol had been exploited by an Oracle hack, in which an exploiter raised the price of $ALBT tokens and minted a large number of $BEUR tokens.

Step 2:

The $BEUR tokens were then swapped for other tokens on Uniswap, and the price was reduced to almost zero, resulting in the liquidation of $ALBT troves.

Step 3:

We took a closer look at one of the attack transactions executed by the exploiter.

Step 4:

The exploiter was able to modify the updatePrice function of the oracle in one of BonqDAO's smart contracts, allowing them to manipulate the $WALBT token's price.

Step 5:

By manipulating the price of $WALBT tokens, the exploiter is able to mint approximately 100 million $BEUR tokens.

Bonq exploiter mint beur tokens

Step 6:

This led to the exploitation of the $WALBT and $BEUR tokens. The hacker then swapped around $500,000 worth of $BEUR tokens for $USDC on Uniswap before burning all 113.8 million $WALBT tokens in order to unlock $ALBT tokens.

Step 7:

At the time of this writing, the exploiter's address is holding assets valued $87,765,439, which includes approximately 711 $ETH, 534,481 $DAI, 89.2 million $ABLT, and more than 98 million $BEUR tokens.

Bonq exploiter assets value


Following the incident, the price of $WALBT tokens dropped by more than 50%, while the price of $BEUR tokens plummeted by 34%.

BonqDAO stated that the protocol had been paused and that a fix was being incorporated that would let users withdraw the remaining collateral without having to pay back $BEUR to the troves.

AllianceBlock also reported that the incident is limited to the BonqDAO troves and that none of their smart contracts were compromised. The team is now removing all liquidity from Bonq and has ceased exchange trading. Additionally, they disclosed that they would mint new $ALBT tokens for those affected by the exploit.


Attacks of such nature leading to oracle price manipulation could have been regulated to a greater extent using data providers like ChainLink.

We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with BonqDAO protocol had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Sources PeckShield