Let's Talk

Explained: The Bondly Finance Hack (July 2021)

Rob Behnke

Bondly Finance is a DeFi project that suffered a hack on July 15, 2021.  The attacker was able to mint 373 million BONDLY tokens and sell many of them, causing the token’s value to crash and providing a profit to the attacker.

Inside the Attack

The Bondly Protocol exploit was performed by an address associated with the owners of the protocol.  Using this address, the attacker was able to mint 373 million BONDLY tokens using the owner transfer operation, according to PeckShield.

These newly minted tokens were then sold in liquidity pools, enabling the attacker to convert the stolen value to other tokens while causing the value of BONDLY to crash 82% due to the massively inflated supply.

The fact that this attack was performed using an address associated with the owners of Bondly Finance points to 2 potential explanations:

  1. Rug Pull: A rug pull is when the team behind a blockchain protocol steals value invested in the protocol.  A recent example of a rug pull is the Africrypt “hack”.
  1. Compromised Private Key: Anyone with access to the private key associated with a blockchain address can perform actions on its behalf.  If the key of the account used in the attack was compromised (as in the EasyFi hack), then the attacker could use the permissions granted to this account to carry out their attack. Click here for more info on how to keep your private keys safe.

The fact that multiple Bondly team members’ identities are public makes it less likely that this was a rug pull as these are more commonly performed by anonymous teams.  However, further information is needed to determine who was really behind the attack.

Lessons Learned from the Bondly Hack

Unlike many DeFi hacks, the attack against the Bondly protocol did not exploit a vulnerability in the protocol’s smart contract.  The attacker used the legitimate access granted to the protocol owner’s account to inappropriately mint tokens and steal them from the protocol.  Whether the attacker had legitimate access to the account or stole a private key is still unknown.

This hack demonstrates the importance of appropriately managing and securing access and permissions for DeFi protocols.  The fact that a single account could unilaterally carry out this attack and crash the value of the BONDLY token demonstrates a lack of appropriate access management.

LET’S CONNECT

We’re looking for passionate, blockchain-loving, offensive security engineers and white hat hackers to join the team.

For secure communications, use [email protected]

Contact Us

crossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram