🔥 Day 3 of #30daysweb3security 
@Web3SecurityDAO

Today I learnt about the recent hack at 
@BonqDAO
 due to oracle price manipulation 🧵

Warden/Watson at C4/Sherlock

Follow me for onchain security info

Hackers were able to manipulate Tellor oracle, by providing an erroneous price feed and artificially increase the price of a token -- and then borrowing and draining millions from the BonqDao. 

What could BonqDao have done?

They should not have used Tellor's no-dispute, instant price -- where an attacker could provide fake data and have BonqDao instantly use it. 

As an optimistic oracle, time is needed for the system to challenge and reject the false price. This was a known bug reported by Liquity

Instead, BonqDao should have take prices that had a slight delay of 15-30 mins, to confirm that the price data is true. 

I'll be reading up and sharing about the different types of oracles, and the issues around using them, in the days ahead!