According to the intelligence of the SlowMist security team, on February 2, 2023, the BonqDAO project on the Polygon chain was attacked, and the attacker obtained a large amount of WALBT and BEUR tokens (113 million WALBT, 98.65 million BEUR). The SlowMist security team shared the following in the form of a newsletter: 1. The oracle source used by the BonqDAO platform is the ratio of the TellorFlex self-feeding price to the Chainlink price. One of the main limitations of the TellorFlex price update is that the price reporter needs to mortgage 10 TRB first. Make a price submission update. In TellorFlex, the updateStakeAmount function can be used to periodically update the amount of TRB that the price reporter needs to stake according to the price of the collateral. 2. Since the TRB mortgage amount of the TellorFlex oracle contract was set to 10 at the beginning, and was not updated through the updateStakeAmount function afterwards, the attacker only needs to mortgage 10 TRB to become a price reporter and call the submitValue function Modify the price of WALBT tokens in the oracle 3. After modifying the price, the attacker calls the createTrove function of the Bonq contract to create a trove for the attack contract. The function of the trove contract is mainly to record the user’s collateral status, liability status, 4. Immediately after the attacker performs mortgage operations in the protocol, and then calls the borrow function to borrow, the price of WALBT tokens is modified and raised, causing the protocol to mint a large number of BEUR tokens for the attacker5 . In another attack transaction, the attacker used the above method to modify the price of WALBT, and then liquidated other users with liabilities in the market to obtain a large amount of WALBT tokens. 6. According to the MistTrack analysis of SlowMist, 113 million WALBTs have been burned on the Polygon chain and ALBTs have been withdrawn from the ETH chain, and some of the ALBTs have been converted to ETH through 0x; ETH chain and convert to DAI. The root cause of this attack is that the attacker uses the oracle machine to quote the required collateral at a cost much lower than the profit obtained from the attack, thereby manipulating the market and liquidating other users by maliciously submitting wrong prices. So far, 946,000 ALBT have been exchanged for 695 ETH, and 558,000 BEUR have been exchanged for 534,000 DAI. Hackers are still converting ALBT to ETH, and no funds have been found to be transferred to exchanges and other platforms. MistTrack will continue to monitor hackers’ changes and follow up to block them.
Beincrypto