Attackers recently targeted Bondly Finance and got over 5M on 15 June. This happened after an unknown attacker took advantage of the infinite mint bug and dumped the 373M “created out of thin air” BONDLY tokens. The best part? The team claims to have no idea as to how it happened and said that they need several days to complete the investigation. BONDLY token has declined almost 90% following the incident.
We will need several days to complete our investigation. Simultaneously, we are exploring a variety of options to support our community, including the possibility of token redeployment. We will provide an update once our investigation is completed. Thank you for your patience
NFT management platform Bondly allegedly had a rug pull, since the infinite mint bug can’t be performed without the smart contract’s owner authorization. Another theory says that hackers took hold of the owner’s private keys. However, the community’s opinion leans heavily on the side of “rug pull”. This means that the team likely performed the attack themselves.
The huge mint of 373M BONDLY @BondlyFinance on eth is performed by owner: 0x58a058ca4b1b2b183077e830bc929b5eb0d3330c, a rug pull?
PeckShield seems to agree with the rug pull theory as the owner address minted the token, before sending it to the attacker’s address to be dumped. The Bondly team has also been criticized for slow response and no proper community, after the attack. Exploit TX 0xc2b339468b23cc8b98d6d4534e87d8ec3b85a0d26f8c169a22efe14d221cfaae shows that very fact.
⚠️ Bondly Finance $BONDLY has been exploited ⚠️ https://t.co/5kirjy93Sf @BondlyFinance #defi
At the time of this writing, the attackers’ address holds over 11.97 ETH (worth $23K), 274.14 WETH (worth $524K), ~125.8K BONDLY (worth $755K), 444K FXF (worth $133.5K), apart from other relatively smaller token holdings. Some of the funds have been routed to Tornado Cash also. It’s necessary that liquidity providers remove all liquidity as the attacker can still dump large holdings.
https://t.co/IMaKegj0YP$bondly
exploiter address visualized pic.twitter.com/vueysWxWia
The team’s response and actions since then have been suspicious, giving rise to the rug pull theory. It’s further strengthened by the fact that the team refused to give any proper explanation or mitigation plan for the BONDLY token holders, who are left with millions in losses and a largely unresponsive team.