Full Report
BonqDAO is a non-custodial, over-collateralized lending protocol on the Polygon blockchain. This project allows for any protocol to borrow against their own token at a zero percent interest rate. Users lock their assets into a smart contract only controlled by the users - non-custodial protocol. Users lock their collateral in a Troves (unsure what this means), which have a minimum collaterization ratio. If the values fall, then anybody can liquidate these balances. TellorFlex is the Oracle system of Bonq. The submitValue function allows reporter to submit a value to the Oracle. Since this is permissionless, anybody can write a value provided that a few conditions are met: Nonce is legit to prevent replay attacks. A minimum amount of tokens have been staked by the poster of the price. No reported price for the query ID. Timelock check to make sure a person cannot report more than once in quick succession. How hard are all of those requirements to met? Barely an inconvenience! All we have to do is stake funds and we've updated the price without any sanity checks. In fact, the contract used the spot price of the token as well. This can be used to arbitrary inflat or deflate the value of a given price feed. The attacker exploited this in an interesting way. Instead of simply making money off of buying/selling, they went the liquidation route. First, they increased the price of WALBT, leading to a very large borrow using a modest amount of capital. This money can be used to fund our attacks later on. Next, report a price on the new block with a very small spot price. Since the price is small, we can use this to liquidate all of the loans taken out. We will obtain lots of collateral for almost nothing in return. The blog post has a new PoC in Foundry for a test environment as well. This was a pretty major hack for how simple the bug was - anybody could set the price of a cryptocurrency.
Analysis Summary
# Incident Report: BonqDAO $120M Price Oracle Manipulation Hack
## Executive Summary
On February 1st, 2023, the BonqDAO lending protocol on Polygon was exploited for approximately \$120 million in assets due to a critical vulnerability in its TellorFlex price oracle implementation. The attacker leveraged the permissionless `submitValue` function to manipulate the price of the WALBT token, first inflating it to borrow excess stablecoins (BEUR), and then deflating it severely to liquidate numerous user troves and steal collateral.
## Incident Details
- **Discovery Date:** Shortly after February 1st, 2023 (as the attacks were sequential and fast).
- **Incident Date:** February 1st, 2023.
- **Affected Organization:** BonqDAO.
- **Sector:** Decentralized Finance (DeFi) / Lending Protocol.
- **Geography:** Polygon Blockchain.
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning around the time stamp of the first hack transaction (e.g., first transaction hash mentioned: `0x31957ecc43774d19f54d9968e95c69c882468b46860f921668f2c55fadd51b19`).
- **Vector:** Price Oracle Manipulation via the `TellorFlex.submitValue` function.
- **Details:** The attacker exploited the permissionless nature of the price submission mechanism in the TellorFlex Oracle, which used the spot price as the last reported value without adequate sanity checks.
### Attack Progression (Two-Step Manipulation)
1. **Price Inflation & Borrowing:** The attacker submitted a very large price for the WALBT token. This artificially inflated the collateral value of WALBT, allowing the attacker to borrow a disproportionately large amount of the protocol's stablecoin, BEUR, using a modest capital investment.
2. **Price Deflation & Liquidation:** Approximately two minutes after the initial borrow, the attacker submitted a second transaction, reporting a deliberately very small spot price for WALBT. This drastic deflation caused the collateralization ratios of many existing user loans (troves) to fall below the minimum threshold.
3. **Collateral Theft:** The attacker then liquidated over 30 under-collateralized troves, acquiring approximately 113M WALBT in return for the debt they held, effectively stealing the collateral from legitimate users.
### Detection & Response
- **Detection:** The incident was detected when large-scale liquidations and unusual price movements were observed on the protocol. (Specific timeline for internal discovery is not provided, but the nature of the exploit was public shortly after).
- **Response:** Details on immediate response actions (e.g., contract pausing) are not specified in the context, but the incident analysis suggests a post-mortem investigation was conducted (as this analysis summary is derived from one).
## Attack Methodology
- **Initial Access:** Direct interaction with the vulnerable smart contract function (`TellorFlex.submitValue`). The attacker met the minimal requirements for price reporting (staking tokens, valid nonce, timelock adherence) but bypassed fundamental security checks—specifically, the lack of sanity checks on the reported price feed.
- **Persistence:** Not explicitly required; the exploit was achieved through two sequential, high-impact transactions.
- **Privilege Escalation:** Not applicable in the traditional sense; elevated privileges were gained by manipulating the underlying price data used for authorization/liquidation checks.
- **Defense Evasion:** The actions adhered to the explicit requirements of the `submitValue` function, making the malicious activity appear legitimate within the defined protocol rules.
- **Impact:** The primary mechanism used the price manipulation to trigger the protocol’s liquidation mechanism to steal collateral.
## Impact Assessment
- **Financial:** Estimated loss of around **\$120 million** in funds. The attacker successfully liquidated over 30 troves, securing approximately **113M WALBT**.
- **Data Breach:** Not applicable (blockchain/protocol exploit).
- **Operational:** Significant insolvency of the BonqDAO protocol due to collateral drain.
- **Reputational:** Major security incident for a non-custodial lending protocol, damaging user trust.
## Indicators of Compromise
*Note: Since this is a blockchain exploit, IoCs focus on transaction patterns.*
- **Behavioral indicators:** Rapid sequence of two transactions involving the TellorFlex contract, one setting an extremely high price for an asset (WALBT) followed shortly by a transaction setting an extremely low price for the same asset.
- **Transaction Patterns:** Transactions resulting in large-scale, economically irrational liquidations of user collateral based on the manipulated asset price.
## Response Actions
*Specific response actions taken by BonqDAO are not detailed in the provided text.*
- **Containment (Inferred):** Likely involved pausing deposits, minting functions, or the oracle feed itself post-discovery.
- **Eradication/Recovery (Inferred):** Focus would be on analyzing the exploited state and communicating with the community regarding whitehat recovery efforts or potential remediation.
## Lessons Learned
- **Oracle Trust Model Flaw:** Relying on a permissionless oracle system (TellorFlex) where the system treats the "last reported value" as the definitive spot price without implementing sufficient sanity checks (e.g., tolerance bands, decentralized consensus checks across multiple feeds) creates catastrophic risk.
- **Simplicity of Exploit:** The hack demonstrated that complex economic exploits can stem from a seemingly simple control failure—in this case, the inability to veto an arbitrary price submission.
- **Importance of On-Chain Governance/Checks:** Requirements like staking and nonces were insufficient guards against deliberate, strategic price manipulation.
## Recommendations
- **Implement Robust Price Sanity Checks:** Ensure that the protocol only accepts price updates within expected volatility thresholds compared to previous prices or established external price oracles.
- **Decentralize Price Inputs:** Move away from relying on a single, albeit permissioned, source of truth for critical functions like collateral valuation and liquidation thresholds; triangulate data from multiple, independent, and decentralized oracles.
- **Review Permissionless Functions:** Any function that allows setting system-critical state variables (like asset prices) must have stringent validation logic beyond basic nonce/staking checks.