Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 121Oracle Manipulation

BonqDAO Tellor Oracle Manipulation

Reporting an absurd WALBT price to BonqDAO's Tellor oracle (cost: 10 TRB, under $1K) minted $120M and collapsed protocol TVL by 99.66% in a single transaction.

Date
Victim
BonqDAO
Chain(s)
Polygon
Status
Funds Stolen

On February 1, 2023, the Polygon-based stablecoin protocol BonqDAO lost 100M BEUR (its euro-pegged stablecoin) and 120M WALBT tokens — nominally about $120 million — in a single oracle-manipulation attack that cost the attacker less than $1,000 in protocol-level setup.

What happened

BonqDAO accepted WALBT (Wrapped AllianceBlock) as collateral for its BEUR stablecoin. The price of WALBT came from the TellorFlex oracle — Tellor's permissionless price-feed contract on Polygon.

Tellor's design lets anyone become a price reporter by staking 10 TRB tokens (Tellor's governance token, worth roughly $200 at the time). After staking, the reporter can submit any price for any asset. Disputes are resolved through Tellor's voting mechanism, but the most recent price is consumed immediately, before any dispute window expires.

The attack:

  1. Staked 10 TRB on TellorFlex from address A.
  2. Submitted a price report declaring 1 WALBT = $5,000,000.
  3. Opened a BonqDAO "Trove" with 0.1 WALBT as collateral. Under the manipulated price, that collateral was worth $500,000 — easily enough to borrow large amounts of BEUR. The attacker borrowed 100M BEUR.
  4. Swapped the BEUR for USDC on Uniswap.

Then the second leg:

  1. Staked 10 TRB again from address B and reported 1 WALBT = $0.0000001.
  2. At the new, near-zero price, every existing WALBT-backed Trove on BonqDAO became massively under-collateralised.
  3. The attacker liquidated those Troves, claiming the underlying WALBT at the liquidation discount and walking with 120M WALBT in addition to the earlier USDC.

Total cost to set up: 20 TRB (~$4,000). Total drained: ~$120M nominal.

Aftermath

  • BonqDAO's TVL fell from $13M to $44K — a 99.66% drop — in a single transaction.
  • The attacker began moving funds through Tornado Cash within 48 hours.
  • BonqDAO and AllianceBlock published a joint post-mortem and the protocol effectively wound down.

Why it matters

BonqDAO is the strongest case study for why permissionless oracles must be wrapped in dispute windows and price-deviation circuit breakers before they can be safely consumed by lending protocols. Tellor's design was working as advertised; BonqDAO's mistake was treating the most recent reported price as gospel. The defensive answer is well-known and well-documented:

  • Time-weighted aggregation across multiple reports.
  • Hard price-deviation limits that block reads outside a sanity range.
  • Multi-oracle medians (e.g. Chainlink + Tellor + on-chain TWAP).

Every lending protocol that ships without all three is one stake-and-report away from BonqDAO's outcome.

Sources & on-chain evidence

  1. [01]hacken.iohttps://hacken.io/insights/bonqdao-hack/
  2. [02]medium.comhttps://medium.com/immunefi/hack-analysis-bonqdao-february-2023-ef6aab0086d6
  3. [03]rekt.newshttps://rekt.news/bonq-rekt

Related filings