bondly_finance.md

Bondly Finance

Date:: July 14th, 2021

Amount Stolen:: $5,900,000

Tags:: 🔑

---

Details

On Wednesday, July 14th 2021, Bondly Finance fell victim to an attack from a malicious actor (Attacker) leading to the transfer of 373,088,023 $BONDLY tokens from the Bondly Staking Rewards contract, 200,460,000 of which were used to mint zenBONDLY in a sophisticated attack on the MANTRA DAO ZENTEREST platform.

Bondly Finance believes that the attacker obtained access to the password account belonging to Bondly CEO Brandon Smith through a carefully planned strategy. The password account contains the assistance of his hardware wallet. Recalling the phrase to restore the phrase, after copying, allowed the attacker to access the BONDLY smart contract, and the company wallet that was also leaked, resulting in the minting of 373 million BONDLY tokens, or $5M

Hacker got access to a devs password and then manipulated a smart contract from the protocol

The breach also extended to a number of Bondly-held wallets, which were also compromised during the attack.

Upon initial investigation we believe the Attacker, through a well-orchestrated strategy, gained access to a password account belonging to Brandon Smith, CEO of Bondly.

The password account contained a mnemonic recovery phrase for his hardware wallet, which when replicated allowed the assailant access to the $BONDLY smart contract, as well as corporate wallets that were also compromised.

On-Chain

• 0xbcea5abcb1b446b971eb67b6dd69736e68d273097774284ca5f257df2a31c3c7

• 0xc2b339468b23cc8b98d6d4534e87d8ec3b85a0d26f8c169a22efe14d221cfaae

• 0xc433d50dd0614c81ee314289ec82aa63710d25e8 - Primary Theft, Tornado Deposits

• 0x419787019b991ac2c765a14467d177c6c0b05c00 - Tornado Withdrawal

• 0x365d2c5220989a068d8b0e95625875c55166297b - Tornado Withdrawal

• 0xe0c79066488a15b70361ad8268d713b05944a4fe - Tornado Withdrawal

• 0xdef57ccb20b1f2eaee0c64aab3280350f84cb0fc - Tornado Withdrawal

• 0x996f5ccbf2856137744603b382de559b78a096fc - Tornado Withdrawal

• 0xa465e908abbda0ba0da598cced8abd4901b2f634

• 0x954f68ea525c3b0f46c5baed5b38ffbbb7fa9bed

• 0xd5e44a1408531be963e0700bf19d66fa7bc8adfd - FixedFloat Deposit Address

• 0x58A058ca4B1B2B183077e830Bc929B5eb0d3330C

• 0x9fd5d41a768499e520f85dbfddc6d08a0272a619

• 0xd11418280813c8be344dd48f8343b9978aabc03a

• 0x27a9d7d17d72a5a67115dbf381b121b51d8b5dd8 - Binance Deposit

• 0xabef0df725ef5d2f0354c59ea3ccb161abc11515 - Binance Deposit

• 0x246569f8b420c8d850c475c53d0d59973b3f08fc - Paxful Deposit

• 0x593dc5e1ad81667bbfc90739dd2c09c926920e3b - Paxful Deposit

• 0x2e1155cf5374cba058a04fd03ebd0ba19afe580d - Noones Deposit

Tornado Cash

"From July 16–20th 35 X 100,000 DAI and 3 X 100 ETH was withdrawn to 0x365 consolidating with the 100 BNB Tornado Cash withdrawals."

0x365d2c5220989a068d8b0e95625875c55166297b

"From July 22–29th 14 X 100,000 DAI and 2 X 100 ETH was withdrawn to 0xe0c7 consolidating with funds from the EasyFi hack. From August 12–23th 2 X 100 ETH was withdrawn to 0xe0c7."

0xe0c79066488a15b70361ad8268d713b05944a4fe

"On July 24th 2 X 100,000 DAI was withdrawn to 0xdef5 which received $7.4M from 0xe0c7 in a series of transactions."

0xdef57ccb20b1f2eaee0c64aab3280350f84cb0fc

"The remaining 1 X 100,000 DAI withdrawal was made to 0x996f."

0xd7589fdf5c035ce5d432e5af64b13b77802b7451315f460ce1bda8a4e7c89240

0x996f5ccbf2856137744603b382de559b78a096fc

–zachxbt

URLs

• https://rekt.news/bondly-rekt/
• https://bondlyfinance.medium.com/bondly-attack-july-14th-2021-postmortem-beb7cf02e9ba
• https://cointelegraph.com/news/bondly-finance-urges-users-to-stop-trading-following-alleged-exploit
• https://quadrigainitiative.com/casestudy/bondlyfinanceadminwalletcompromise.php
• https://web3rekt.com/hacksandscams/bondly-finance-293
• https://forj.medium.com/bondly-attack-july-14th-2021-postmortem-beb7cf02e9ba
• https://twitter.com/BondSmithB/status/1415511611482198021
• https://forj.medium.com/bondly-statement-to-our-community-dac8e4801fcb
• https://medium.com/mantra-dao/bondly-exploit-how-it-unfolded-on-zenterest-postmortem-d8120d8d784b
• https://bondlyfinance.medium.com/?p=13a371de13dc
• https://twitter.com/peckshield/status/1415532302889734144
• https://twitter.com/peckshield/status/1415534522020470789

Connections

• On Polygon, The first transaction in [bZx exploiter 0x0acc0e5faa09cb1976237c3a9af3d3d4b2f35fa5] is from [Bondly Exploiter 0xc433D50DD0614c81EE314289eC82Aa63710D25e8]
• This exploit was very similar to bzx’s: the hacker got access to a devs password and then manipulated a smart contract from the protocol.

0x0adab45946372c2be1b94eead4b385210a8ebf0b (Nexus Mutual Hacker) ->

• 0xdf22e8de755535ca3dcc500336aaabbfc2a6e6bc ->
• 0x558d63df14bb5ec2172d2996ae7931e416c985cf ->
• 0x190b71ecffeb8bcde68be86bc959e06baddaea6a