Bonq is an over-collateralized lending platform that allows other projects to borrow against their own tokens. Users can lock up custom project tokens (like WALBT) in a Bonq smart contract (called trove) and mint BEUR, a coin pegged to the Euro. The BonqDAO protocol uses WeAreTellor, a Decentralized Oracle Protocol, which incentivizes permissionless data reporting and data validation. In short, anyone can report offchain data to Tellor oracles and any on-chain contract can consume that data. In other words, anyone can report any value as the price of a token. The only requirement to be a reporter is to stake 10 TRB tokens (Tellor protocol token). If the reporter reports incorrect price their staked amount (10 TRB) is slashed.

By staking only 1000 TRB tokens, Bonq protocol was exploited, where exploiter increased the ALBT price and minted large amounts of BEUR. Over 100m BEUR were minted. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which triggered the liquidation of ALBT troves.

The attacker then walks away by withdrawing the illicit gains with 113.8m WALBT and 98m BEUR (valued >$10M). Range of exploit value runs from low $5M to $120M due to the different valuation relating to the BEUR and ALBT tokens.