July 19th, 2021
Bondly Finance is a DeFi project that suffered a hack on July 15, 2021. The attacker was able to mint 373 million BONDLY tokens and sell many of them, causing the token’s value to crash and providing a profit to the attacker.
The Bondly Protocol exploit was performed by an address associated with the owners of the protocol. Using this address, the attacker was able to mint 373 million BONDLY tokens using the owner transfer operation, according to PeckShield.
These newly minted tokens were then sold in liquidity pools, enabling the attacker to convert the stolen value to other tokens while causing the value of BONDLY to crash 82% due to the massively inflated supply.
The fact that this attack was performed using an address associated with the owners of Bondly Finance points to 2 potential explanations:
The fact that multiple Bondly team members’ identities are public makes it less likely that this was a rug pull as these are more commonly performed by anonymous teams. However, further information is needed to determine who was really behind the attack.
Unlike many DeFi hacks, the attack against the Bondly protocol did not exploit a vulnerability in the protocol’s smart contract. The attacker used the legitimate access granted to the protocol owner’s account to inappropriately mint tokens and steal them from the protocol. Whether the attacker had legitimate access to the account or stole a private key is still unknown.
This hack demonstrates the importance of appropriately managing and securing access and permissions for DeFi protocols. The fact that a single account could unilaterally carry out this attack and crash the value of the BONDLY token demonstrates a lack of appropriate access management.