Back to Blog

BonqDAO Exploited on Polygon: $120M Stolen Due to Flawed Logic

Code Auditing
February 2, 2023
5 min read

On February 2nd, 2023, BonqDAO on Polygon was attacked, resulting in losses of approximately 98.6M BEUR and 113M WALBT. After investigation, we found that the flawed logic used to determine the WALBT token price was the cause of the attack. As a blockchain security company, we closely monitor such exploits that can have far-reaching implications in the DeFi space.

Date Attack type Chain Lost Recovered
2023/2/1 Flawed Price Dependency Polygon ~ $120 M No

Project Introduction

BonqDAO (Bonq Decentralized Autonomous Organization) is a DeFi lending platform deployed on Polygon. Users can provide liquidity to the protocol or take out overcollateralized loans to earn yields, and then they can mint BEUR, a stablecoin pegged to the Euro.

After this attack, BonqDAO's TVL plummeted from $13 million to $44,000, experiencing a 99.66% decline.

BonqDAO subsequently announced that the Bonq protocol had been suspended, and AllianceBlock and the Bonq team minted new ALBT tokens and airdropped them to affected users.

Attack Analysis

TellorFlex is the Oracle of BonqDAO. It is decentralized and anyone can become a price provider by staking only 10 TRB tokens and modify the oracle price at will.

The attacker carried out profits in two ways during this attack:

  • Raise the WALBT's price and then borrow a massive amount of BEUR tokens
  • Lower the WALBT's price and then liquidate other use’s WALBT.

The attacker's strategy can be broken down into the following key steps:

  1. Prepare funds
  2. The attacker staked a 10 TRB tokens and increased the price of WALBT tokens through TellorPriceFeed (0x8f55).
  1. The attacker then deposits 0.1 WALBT and directly uses the updated price to obtain 100M BEUR.
  1. The attacker used the same method to manipulate WALBT to drop to a low price, liquidate other BonqDAO users’ WALBT collateral, and then resell them for further profit.

Fund Tracking

As a company dedicated to maintaining blockchain security, we have also been closely monitoring the progress of this attack. (Our official Twitter account has been continuously reporting on this incident, and interested readers can follow our account @BlockSecTeam@MetaSleuth to track the movement of these funds together.)

MetaSleuth is a high-performance cross-chain fund flow analytics tool that enhances the transparency of blockchain transaction activity. It allows users to nearly real-time track the trail of affected digital assets. By leveraging MetaSleuth, we can clearly see the relevant fund flow tracking information during the occurrence and follow-up of this attack.

  1. The profit of the BonqDAO attacker was approximately 98.6M BEUR and 113M WALBT. Specifically, 113M WALBT was burned to unlock 113M ALBT from the ETH chain. Approximately 0.5M BEUR was swapped for 534,535 USDC and then swapped for Ethereum (0xcacf...6642). The attacker still had 98.1M BEUR remaining in their Polygon account.
  1. Regarding the Ethereum address 0xcacf..6642 , it used 0xExchange(@0xproject ) to swap the received USDC for DAI. Additionally, WALBT is swapping into ETH/USDT using 0xExchange and Uniswap. The account currently holds 711 ETH, 534,481 DAI, and 89M ALBT.
  1. On Feb 3, 2023, we detected that the attacker had swapped DAI for Ether and laundered 1,105 Ether via Tornado Cash.

Summary

The root cause of this attack is that the cost of collateral required for modifying the quotation of TellorFlex oracle is too low, and the amount of collateral borrowing in the Bonq lending contract is only related to the price reported by TellorFlex oracle. Therefore, attackers can modify the quotation at a relatively low cost and get considerable profits through collateral borrowing.

Read More

The above are just representative cases. In fact, we have more cases focusing on blockchain security analysis.

DeFi Exploit Analysis: The Root Cause of Euler's $200M Loss

About BlockSec

BlockSec offers a full stack security service for blockchain projects, providing assistance from pre-launch to post-launch and incident response. During the development and testing stages, Expert Code Auditing Services and the Phalcon fork testing platform are employed to help identify potential security issues. Ensure robust post-launch security for your blockchain project with BlockSec Phalcon. This streamlined SaaS platform offers incident alerts and automatic blocking to prevent crypto hacks. It employs precise attack detection, scanning both pending and on-chain transactions, allowing you to swiftly intercept hackers. Additionally, MetaSleuth is an intuitive crypto tracking and investigation platform that helps enhance the traceability and transparency of assets.

Sign up for the latest updates
Zcash Orchard Soundness Bug Analysis | BlockSec Weekly
Security Insights

Zcash Orchard Soundness Bug Analysis | BlockSec Weekly

During the week of June 1, 2026, a critical soundness vulnerability was publicly disclosed in Zcash's Orchard shielded pool circuit, caused by a missing equality constraint in the halo2 ECC scalar multiplication gadget that could have enabled undetectable counterfeiting of ZEC within the Orchard pool through double-spending. The vulnerability, which existed for over four years since Orchard's activation in May 2022, was discovered by an AI-assisted security audit and patched through an emergency network upgrade (NU6.2). This single-event report covers the technical root cause (under-constrained ZK circuit relation), the AI-assisted discovery by researcher Taylor Hornby using Anthropic's Opus 4.8 model, the emergency response timeline, and the broader implications for the ZKP ecosystem.

Newsletter - May 2026
Security Insights

Newsletter - May 2026

In May 2026, the DeFi ecosystem experienced three major security incidents. Echo Protocol lost ~$76.7M due to an administrator key compromise that enabled unauthorized minting of unbacked eBTC on Monad, StablR suffered ~$12.8M from a multisig governance breach leading to unauthorized stablecoin issuance, and the Verus-Ethereum Bridge incurred ~$11.7M following a type-validation failure that allowed a crafted supplemental export to be misclassified as a valid primary export.

~$16M Lost: DxSale, SquidRouterModule & More | BlockSec Weekly
Security Insights

~$16M Lost: DxSale, SquidRouterModule & More | BlockSec Weekly

This weekly security report covers 5 notable attack incidents between May 25 and May 31, 2026, with combined losses of approximately $16M across BNB Chain, Ethereum, Base, Arbitrum, and Cosmos. Key incidents include the DxSale token locker exploit ($7.3M) involving three missing state updates compounded by a deployer key compromise, the SquidRouterModule exploit ($3.2M) caused by improper input validation in an Axelar Bridge integration that allowed forged cross-chain messages to drain 86 Safe wallets, and the Gravity Bridge signing key compromise ($5.4M). Other incidents involve a compromised deployer key (Stake DAO, $91K) and a vulnerable off-chain bridge backend (Alephium, $300K).

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit