Wisdom of DeFi by EigenPhi

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
BonqDAO's Rekt, An Oracle Attack, Again.
Copy link
Facebook
Email
Notes
More
Event Post-Mortem

BonqDAO's Rekt, An Oracle Attack, Again.

$1.2M was lost due to the manipulated oracle. Another example of trying and failing to conquer the Tokenomics Trilemma.

EigenPhi
Feb 02, 2023

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
BonqDAO's Rekt, An Oracle Attack, Again.
Copy link
Facebook
Email
Notes
More
Share

Bonq DAO protocol on Polygon, similar to MakerDAO's lending service, got rekt yesterday. About $1.2 million worth of stolen assets have been converted. Once again, the protocol’s oracle became the vulnerability.

Tellor, the oracle that this lending protocol relies on, had a security vulnerability in updating the price of WALBT, allowing the attacker to submit a fabricated price by staking just 10 TRB. The new quote somehow passed the checks of the contract TellorFlex.sol, allowing the attacker to borrow 100,000,000 BEUR in this transaction with a tiny amount of WALBT pledged to BonqDAO.

Here are the proofs of our analysis.

The detailed call trace from Blocksec:

And the code causing the problem:

You can read the more detailed report from our partner SlowMist.

Twitter avatar for @SlowMist_Team
SlowMist @SlowMist_Team
🚨SlowMist Security Alert🚨 On February 2, the @BonqDAO on the Polygon chain was attacked, the total profit of the exploiter is 113M WALBT and 98.6M BEUR. Here is a brief report:👇
10:06 AM ∙ Feb 2, 2023
19Likes6Retweets

EigenPhi has systematically studied several DeFi risk events, including the Ankr attack and Lodestar Finance attack that occurred in Q4 last year, and proposed The Tokenomic Trilemma framework to explain the root cause of these attacks.

The Tokenomic Trilemma puts forward the thesis that a token is difficult to simultaneously achieve three conditions: free tradability, anchored price, and independent issuance. Unlike the Ankr and Loestar incidents, where The Tokenomic Trilemma shows the exploitation of the protocol's design flaws was the cause, the framework does not cover BongDAO's exploitation, and we classify the cause as a technical flaw.

We can use The Tokenomic Trilemma to organize all the DeFi risk events into 5 categories:

  1. Attacking the token's issuance mechanism. I.E., Ankr Attack, and Lodestar Finance attack.

  2. Manipulating the underlying token's market liquidity. I.E., Mango Squeeze, and CRV Short-squeeze.

  3. Algorithmic stablecoin. I.E., UST-Luna Saga.

4&5. Technical flaws.

To mitigate these risks, the industry needs to focus more on liquidity data. We propose that a feedback system based on real-time liquidity sensors is indeed helpful in achieving proactive risk management.

Please feel free to leave your comments on The Tokenomic Trilemma framework and other risk events analysis.

Follow us via these to dig more hidden wisdom of DeFi:

  • Youtube

  • EigenPhi’s Twitter

  • EigenPhi’s Twitter for MEV alert

  • Substack

  • Medium

  • Mirror.xyz

  • Telegram

  • Discord

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
BonqDAO's Rekt, An Oracle Attack, Again.
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 EigenPhi
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More