KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
On February 2nd, 2023, the Polygon DeFi protocol BonqDAO fell victim to a price oracle hack due to an error in a smart contract code. The attacker stole 100 million $BEUR stablecoins and 120 million Wrapped AllianceBlock Token ($WALBT).
Summary: The attacker exploited a bug in the price feed smart contract of BonqDAO. The bug allowed the exploiter to change the price of the $ALBT token and use them to borrow 100 million $BEUR stablecoins. The attack was enabled by a vulnerability inside the smart contract for price feed that supplies Bonq protocol with the ALBT price from the Tellor Oracle.
@hackenhacker, an on-chain analyst and researcher, indicated that Bonq Protocol was exposed to an oracle hack, where the exploiter increased the $ALBT price and minted large amounts of $BEUR. The $BEUR was then swapped for other tokens on Uniswap.
Let’s take a close look inside the transaction.
There was a forced change to the price of $ALBT. Notice the second argument in the function updatePrice inside one of the smart contracts of Bonq: arg1=5000000000000000000000000000
With a raised $ALBT price, the attacker was able to mint millions of $BEUR essentially for free. While there was still liquidity on Uniswap, they swapped around 2 million $BEUR for $USDC, $DAI, $WALBT, $WETH, and $WMATIC. The hacker has already laundered more than 1,105 $ETH via Tornado.cash, fixing their gain at $1.8M USD.
Investors lost trust in the Bonq token ($BNQ) and started selling on hearing the news.
Bonq Euro ($BEUR) – a stablecoin pegged to Euro – fell to the all-time low of $0.15 on Feb 3. A decrease of this magnitude is hardly recoverable for any stablecoin.
AllianceBlock Token ($ALBT) also took a major hit as second-hand damage.
BonqDAO serves as yet another confirmation of triple damage as a consequence of lagging security: direct loss + token price drop + diluted community trust. This hack underscores the importance of having a comprehensive smart contract audit by a professional auditor to have security measures against price oracle manipulation.
The BonqDAO hack was made possible by the lack of security measures in BonqDAO smart contacts against price oracle manipulation. The bug inside the price feed enabled the bad actor to change the price and mint Bonq’s stablecoin. In their case, a Polygon smart contract audit could have prevented the exploit. Hacken offers the most experienced security auditors and diligent enforcement of auditing standards to detect and fix critical weaknesses in DeFi protocols’ deployed on Polygon.
Bonq is still looking for what to do next, whereas AllianceBlock announced an airdrop to substitute legacy tokens with newly minted tokens. Users must be especially careful as scammers push phishing scams before and during airdrops.
AllianceBlock also communicated another important development, claiming it would revise the scope of cooperation with less-known crypto projects.The move underscores the importance of gaining industry trust for Web3 projects. Credible security certification is the battle-tested method of earning trust.