Bondly Finance Exploited for Millions in Potential Rug Pull
While the team is still investigating the attack, initial analysis points to a rug pull.
- Bondly Finance, a well-known DeFi and NFT project, was exploited today by "an unknown party," the team said.
- After the liquidity pools were exploited, the attacker minted 373 million BONDLY to sell on the open market, leading to an 82% price crash.
- While team claims to be investigating the incident, it is suspected the attack may have been an insider job.
Share this article
NFT project Bondly Finance was exploited today due to a token-minting attack from a still-unknown assailant.
Attacker Mints 373 million BONDLY tokens
Bondly Finance has suffered an attack.
🚨Attention Bondly Community:
Unfortunately we have been compromised by an unknown party
We would like to take this time to advise you to STOP TRADING $BONDLY
Rest assure we have already taken action and will be operating as usual ASAP
Stay tuned for more updates
— Bondly (@BondlyFinance) July 15, 2021
The DeFi and NFT project was exploited today by “an unknown party,” the team said. The incident is only the latest in a series of major exploits that have hit the DeFi sector this year.
During the attack, someone minted 373 million BONDLY tokens and sold off the inflated supply in the liquidity pools, leading to a price crash.
In the official Bondly Finance Telegram group, the team has confirmed the protocol exploit and told the community that it is still investigating the matter. It also advised everyone to stop trading the token.
The Ethereum address associated with the exploit has been funneling funds through various decentralized exchanges. They’ve also used Tornado.Cash to move $100,000 worth of DAI multiple times over. At the time of writing, the address contains about $1.45 million, though the total gains come closer to $7.5 million.
While the team claims to be investigating the incident, some suspect that the attack may have been an inside job, otherwise known as a “rug pull” in the crypto community.
According to analysis from PeckShield, a blockchain security firm, the illegitimately minted BONDLY tokens that the attacker received came from Bondly’s owner address through an owner transfer operation. Discussing the possibility of a rug pull, Xuxian Jiang, founder and CEO of PeckShield, told Crypto Briefing:
“It is potentially a rug pull as the owner (0x58a058ca4b1b2b183077e830bc929b5eb0d3330c) pulls the trigger in transferring out 373M $BONDLY to sell.”
If not an insider job, the other possibility is that the owner’s private key was leaked, Jiang added.
Sam Kim, founder of Umbrella Network, a decentralized Layer-2 oracle network, also pointed to the private key hack. “Despite these reports, it seems rather unlikely that a public (not anonymous) project like Bondly would rug pull for less than $10 million. The risk and costs are too high. A compromise of their private key seems like the most likely culprit for this attack.” Kim said.
The attack has led to a massive decline in the price of BONDLY tokens. Since the incident came to light, the token has registered an 82% fall, from roughly $0.06 to $0.01 in seven hours, as per CoinGecko.
Bondly Finance first made headlines in Feb. 2021 after it collaborated with YouTuber Logan Paul to issue Pokémon NFTs on Ethereum. Now, it’s become a talking point for a different reason.
Bondly Finance has promised that updates will follow.