The decentralized finance ecosystem suffered a significant blow on February 1, 2023, when BonqDAO, a non-custodial lending protocol deployed on the Polygon blockchain, lost approximately $120 million in a sophisticated price oracle manipulation attack. The exploit stands as one of the largest DeFi hacks of early 2023 and raises urgent questions about the security of oracle-dependent protocols across the broader crypto landscape.
At the time of the attack, Bitcoin was trading at approximately $23,700 and Ethereum at $1,640, reflecting a nascent market recovery from the depths of the 2022 bear cycle. The exploit targeted BonqDAO, a platform that allowed users to lock tokens as collateral in individual troves and mint BEUR, a stablecoin pegged to the Euro. The protocol relied on the TellorFlex oracle system to determine collateral values — a dependency that the attacker weaponized with devastating efficiency.
The Exploit Mechanics
The attacker exploited a critical vulnerability in the TellorFlex oracle contract that BonqDAO used for price feeds. The submitValue function in the TellorFlex contract was essentially permissionless — any address that had staked a minimum amount of TRB tokens could report a price value to the oracle. The fatal flaw was that the protocol treated the last reported value as the spot price, meaning any reporter could temporarily inflate or deflate the perceived value of a token.
The attack unfolded in two carefully timed transactions. In the first transaction, the attacker reported an artificially inflated price for WALBT, the wrapped version of AllianceBlock’s native token. With the oracle now showing a massively inflated WALBT value, the attacker created a trove, deposited a modest amount of WALBT as collateral, and borrowed approximately 100 million BEUR — far more than their actual collateral justified.
Approximately two minutes later, the attacker executed the second phase. They reported a drastically deflated price for WALBT to the same oracle. This sudden price crash pushed over 30 legitimate borrowers’ troves below the minimum collateralization ratio, triggering mass liquidations. The attacker, positioned as a liquidator, swept up approximately 113 million WALBT from these liquidated troves at deep discounts.
Affected Systems
The immediate victims included over 30 BonqDAO trove holders who saw their positions liquidated through no fault of their own. AllianceBlock, whose ALBT token was central to the exploit, saw its wrapped token (WALBT) price plummet 51% in the hours following the attack. Roughly 114 million WALBT tokens were stolen during the exploit, along with the borrowed BEUR stablecoins.
The broader DeFi ecosystem on Polygon also felt the impact. Liquidity pools containing WALBT and BEUR experienced severe disruptions, and several decentralized exchanges suspended trading of the affected tokens to prevent further damage. The total losses were estimated at approximately $120 million, making it the largest crypto hack of February 2023.
The Mitigation Strategy
In the aftermath of the BonqDAO exploit, the protocol team suspended all trading and liquidity operations to contain the damage and prevent the stolen tokens from being offloaded on the open market. AllianceBlock implemented emergency measures to protect its community, including proposals to migrate affected users to a new token contract.
From a technical standpoint, the exploit highlighted several critical mitigations that DeFi protocols must implement. First, oracle systems should not rely solely on a single reporter’s submitted value. Time-weighted average price feeds, such as those provided by Chainlink, offer significantly more resistance to manipulation by averaging prices across multiple data points and time periods.
Second, protocols should implement circuit breakers that halt operations when price movements exceed reasonable thresholds. A sudden 1,000% price swing in a collateral token should trigger an automatic pause rather than being accepted at face value. Third, multi-oracle architectures that cross-reference price data from multiple independent sources can help detect and reject anomalous values.
Lessons Learned
The BonqDAO hack reinforces a painful lesson that the DeFi community has learned repeatedly: oracle security is protocol security. A lending platform is only as trustworthy as its price feeds, and permissionless oracle reporting without adequate safeguards creates an existential vulnerability. The TellorFlex system’s design, while intended to be decentralized and open, lacked the protective layers necessary to prevent abuse.
The incident also underscores the importance of thorough smart contract auditing. While the vulnerable code was technically functioning as designed, a comprehensive security review should have identified the risk of single-reporter price manipulation and recommended appropriate countermeasures. Professional auditing firms routinely flag oracle dependency as a high-risk area that requires robust mitigation strategies.
User Action Required
For DeFi users, the BonqDAO exploit serves as a stark reminder to evaluate the oracle infrastructure of any protocol before depositing funds. Users should prefer platforms that employ established, battle-tested oracle providers with proven manipulation resistance. Understanding a protocol’s liquidation mechanics and how they respond to sudden price changes can help users assess their true risk exposure and set appropriate collateralization ratios to protect against cascading liquidation events.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before engaging with any DeFi protocol.
permissionless submitValue on TellorFlex is wild. how did nobody catch that during audit? $120M gone because of one function call
audits dont catch everything when the economics of the attack are cheaper than fixing the bug. $120M loss vs maybe a $50k audit fix
a $50k audit fix to prevent a $120M exploit. the ROI on security is staring everyone in the face and teams still skip it. unbelievable
the BEUR stablecoin peg was doomed from the start. collateral valued by a single oracle with no fallback is textbook bad design
Polygon ecosystem keeps getting hit. first the bridge exploit, now BonqDAO. at what point do devs stop blaming individual protocols and look at the pattern
polygon_whale the pattern is clear. polygon security incidents keep happening because the low gas fees attract rapid prototyping without proper audits
Wei Z. a single oracle with no fallback valuing collateral for a stablecoin. this is defi 101 stuff that somehow shipped to production
individual troves with no collective risk pooling means one bad oracle read cascades instantly. basic fragility
permissionless submitValue on a price oracle is basically leaving your front door open with a sign that says please dont steal. the TellorFlex design was flawed at the protocol level
polygon had 5 major exploits in 2022-2023 and bonqdao was the worst one. the chain itself isnt the problem but the quality of protocols deploying on it is rough
polygon low gas fees attract devs who cant afford to deploy on eth mainnet. that filters for speed over security every single time. the chain is fine, the quality bar is the problem
BEUR pegged to EUR with collateral valued by a permissionless oracle function. what could possibly go wrong
exactly. a euro-pegged stablecoin using a single oracle is asking for trouble. even DAI uses multiple price sources and it still depegs under stress