Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

BonqDAO is a non-custodial, over-collateralized lending protocol on the Polygon blockchain. This project allows for any protocol to borrow against their own token at a zero percent interest rate.

Users lock their assets into a smart contract only controlled by the users - non-custodial protocol. Users lock their collateral in a Troves (unsure what this means), which have a minimum collaterization ratio. If the values fall, then anybody can liquidate these balances.

TellorFlex is the Oracle system of Bonq. The submitValue function allows reporter to submit a value to the Oracle. Since this is permissionless, anybody can write a value provided that a few conditions are met:

• Nonce is legit to prevent replay attacks.
• A minimum amount of tokens have been staked by the poster of the price.
• No reported price for the query ID.
• Timelock check to make sure a person cannot report more than once in quick succession.

How hard are all of those requirements to met? Barely an inconvenience! All we have to do is stake funds and we've updated the price without any sanity checks. In fact, the contract used the spot price of the token as well. This can be used to arbitrary inflat or deflate the value of a given price feed.

The attacker exploited this in an interesting way. Instead of simply making money off of buying/selling, they went the liquidation route. First, they increased the price of WALBT, leading to a very large borrow using a modest amount of capital. This money can be used to fund our attacks later on.

Next, report a price on the new block with a very small spot price. Since the price is small, we can use this to liquidate all of the loans taken out. We will obtain lots of collateral for almost nothing in return.

The blog post has a new PoC in Foundry for a test environment as well. This was a pretty major hack for how simple the bug was - anybody could set the price of a cryptocurrency.