Back to Blog

BonqDAO Exploited on Polygon: $120M Stolen Due to Flawed Logic

Code Auditing
February 2, 2023
5 min read

On February 2nd, 2023, BonqDAO on Polygon was attacked, resulting in losses of approximately 98.6M BEUR and 113M WALBT. After investigation, we found that the flawed logic used to determine the WALBT token price was the cause of the attack. As a blockchain security company, we closely monitor such exploits that can have far-reaching implications in the DeFi space.

Date Attack type Chain Lost Recovered
2023/2/1 Flawed Price Dependency Polygon ~ $120 M No

Project Introduction

BonqDAO (Bonq Decentralized Autonomous Organization) is a DeFi lending platform deployed on Polygon. Users can provide liquidity to the protocol or take out overcollateralized loans to earn yields, and then they can mint BEUR, a stablecoin pegged to the Euro.

After this attack, BonqDAO's TVL plummeted from $13 million to $44,000, experiencing a 99.66% decline.

BonqDAO subsequently announced that the Bonq protocol had been suspended, and AllianceBlock and the Bonq team minted new ALBT tokens and airdropped them to affected users.

Attack Analysis

TellorFlex is the Oracle of BonqDAO. It is decentralized and anyone can become a price provider by staking only 10 TRB tokens and modify the oracle price at will.

The attacker carried out profits in two ways during this attack:

  • Raise the WALBT's price and then borrow a massive amount of BEUR tokens
  • Lower the WALBT's price and then liquidate other use’s WALBT.

The attacker's strategy can be broken down into the following key steps:

  1. Prepare funds
  2. The attacker staked a 10 TRB tokens and increased the price of WALBT tokens through TellorPriceFeed (0x8f55).
  1. The attacker then deposits 0.1 WALBT and directly uses the updated price to obtain 100M BEUR.
  1. The attacker used the same method to manipulate WALBT to drop to a low price, liquidate other BonqDAO users’ WALBT collateral, and then resell them for further profit.

Fund Tracking

As a company dedicated to maintaining blockchain security, we have also been closely monitoring the progress of this attack. (Our official Twitter account has been continuously reporting on this incident, and interested readers can follow our account @BlockSecTeam@MetaSleuth to track the movement of these funds together.)

MetaSleuth is a high-performance cross-chain fund flow analytics tool that enhances the transparency of blockchain transaction activity. It allows users to nearly real-time track the trail of affected digital assets. By leveraging MetaSleuth, we can clearly see the relevant fund flow tracking information during the occurrence and follow-up of this attack.

  1. The profit of the BonqDAO attacker was approximately 98.6M BEUR and 113M WALBT. Specifically, 113M WALBT was burned to unlock 113M ALBT from the ETH chain. Approximately 0.5M BEUR was swapped for 534,535 USDC and then swapped for Ethereum (0xcacf...6642). The attacker still had 98.1M BEUR remaining in their Polygon account.
  1. Regarding the Ethereum address 0xcacf..6642 , it used 0xExchange(@0xproject ) to swap the received USDC for DAI. Additionally, WALBT is swapping into ETH/USDT using 0xExchange and Uniswap. The account currently holds 711 ETH, 534,481 DAI, and 89M ALBT.
  1. On Feb 3, 2023, we detected that the attacker had swapped DAI for Ether and laundered 1,105 Ether via Tornado Cash.

Summary

The root cause of this attack is that the cost of collateral required for modifying the quotation of TellorFlex oracle is too low, and the amount of collateral borrowing in the Bonq lending contract is only related to the price reported by TellorFlex oracle. Therefore, attackers can modify the quotation at a relatively low cost and get considerable profits through collateral borrowing.

Read More

The above are just representative cases. In fact, we have more cases focusing on blockchain security analysis.

DeFi Exploit Analysis: The Root Cause of Euler's $200M Loss

About BlockSec

BlockSec offers a full stack security service for blockchain projects, providing assistance from pre-launch to post-launch and incident response. During the development and testing stages, Expert Code Auditing Services and the Phalcon fork testing platform are employed to help identify potential security issues. Ensure robust post-launch security for your blockchain project with BlockSec Phalcon. This streamlined SaaS platform offers incident alerts and automatic blocking to prevent crypto hacks. It employs precise attack detection, scanning both pending and on-chain transactions, allowing you to swiftly intercept hackers. Additionally, MetaSleuth is an intuitive crypto tracking and investigation platform that helps enhance the traceability and transparency of assets.

Sign up for the latest updates
~$18M Lost: jaredFromSubway, Aztec & More | BlockSec Weekly
Security Insights

~$18M Lost: jaredFromSubway, Aztec & More | BlockSec Weekly

This weekly blockchain security report covers June 15 to June 21, 2026, with 3 notable incidents across Ethereum and BNB Chain totaling approximately $18.3M in losses. Two incidents are analyzed in detail. Based on on-chain analysis, the highlighted jaredFromSubway incident reveals a reversed approval attack pattern: unlike traditional exploits where attackers abuse vulnerabilities in trusted DeFi contracts to drain user-approved assets, this MEV bot proactively approved its own assets to untrusted third-party contracts for arbitrage. The attacker constructed fake wrapper tokens and swap pools that emitted real events but never consumed the granted allowances, with reported total losses of ~$15M. The report also covers Aztec's second exploit in three days, where a missing equality constraint between two witnesses for `old_data_root` in the escape hatch ZK circuit allowed the attacker to prove ownership of fabricated notes against a fake Merkle tree while passing on-chain root validation.

Web3 Companion: The Open-Source Secure Agentic Wallet

Web3 Companion: The Open-Source Secure Agentic Wallet

BlockSec open-sources Web3 Companion, a security-first agentic wallet that treats its own AI agent as untrusted and uses key isolation, hard policies, and Passkey to protect on-chain assets.

~$5.98M Lost: Aztec, Raydium & More | BlockSec Weekly
Security Insights

~$5.98M Lost: Aztec, Raydium & More | BlockSec Weekly

This weekly blockchain security report covers the period of June 8 to June 14, 2026, analyzing 4 notable incidents across Ethereum and Solana with total losses of approximately $5.98M. The highlighted events include Aztec Connect, where a missing input validation allowed the rollup's proof path and L1 settlement to reach inconsistent states, and Raydium, where a missing validation check on the legacy AMM v3 program allowed an attacker to manipulate the LP token redemption calculation and drain four pools. Both vulnerabilities had been live for years before exploitation. The report examines attack types including lack of input validation, integer overflow, and governance capture.

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit