Bondly Attack: July 14th 2021 Postmortem

Forj
6 min readJul 19, 2021

--

Letter From Harry Liu

Dear Bondly Community,

On behalf of the entire Bondly team, I would like to thank everyone for your overwhelming and continued support of the project while we continue to investigate the attack that happened on July 14th 2021. As we shared, an Attacker compromised control over corporate wallets that held tokens and NFTs. As the owner of the majority of Bondly’s corporate wallets, Brandon Smith has voluntarily taken a leave of absence to allow for an objective internal investigation of the incident and relevant subsequent events. As Co-Founder of Bondly, I have stepped into the role of CEO with the support of Bondly’s executive leadership team.

We will continue to proactively update our community with new information and developments resulting from our ongoing investigation. At this time, we continue to recommend that all investors refrain from additional transactions with the $BONDLY token and remove any remaining liquidity from DEXes.

Bondly remains committed to its vision to introduce NFT technology to the masses and we’re asking for our community’s continuing support to make it a reality. The Bondly team and I look forward to sharing our developments and partnership news that are in the works. Until then, thank you once again for your patience and support.

Below is our summary of the investigation to date, developed by the Bondly team.

Sincerely,

Harry Liu, Co-Founder and CEO

Bondly Compromise Postmortem V1: Topline Summary Of Events

On Wednesday, July 14th 2021, Bondly Finance fell victim to an attack from a malicious actor (Attacker) leading to the transfer of 373,088,023 $BONDLY tokens from the Bondly Staking Rewards contract, 200,460,000 of which were used to mint zenBONDLY in a sophisticated attack on the MANTRA DAO ZENTEREST platform. The breach also extended to a number of Bondly-held wallets, which were also compromised during the attack.

Upon initial investigation we believe the Attacker, through a well-orchestrated strategy, gained access to a password account belonging to Brandon Smith, CEO of Bondly. The password account contained a mnemonic recovery phrase for his hardware wallet, which when replicated allowed the assailant access to the $BONDLY smart contract, as well as corporate wallets that were also compromised.

Below is a summary of the events that occurred during the attack. Bondly will continue to release updated information as it becomes available.

Post-Mortem 1: Initial Key Takeaways

  • Ownership of Bondly’s token contract was compromised and transferred to the Attacker’s wallet. This will be resolved immediately through Bondly’s token redeployment strategy and the issuance of a new Bondly token.
  • Our project’s interoperability added to the complexity of the investigation, as the attack occurred on the following three chains: Etherum, Binance Smart Chain and Polygon.

Summary of Attacker Activities

Jul-14–2021 02:03:20 PM +UTC

  • To facilitate forthcoming transactions, the Attacker transferred Ether from Tornado Cash, a cryptocurrency mixer, to their proxy wallet, and it was then subsequently sent to an unknown wallet address.

Jul-15–2021 12:16:01 AM +UTC

Jul-15–2021 12:17:49 AM +UTC

Jul-15–2021 12:31:11 AM +UTC

  • The Attacker sent 11,412,747 $BONDLY to a wallet address owned by the Attacker.

Jul-15–2021 12:51:55 AM +UTC

  • A series of Bondly-held wallets were compromised and the funds immediately transferred to the Attacker’s wallet address. This includes Bondly’s staking reserve account, investment account and other Bondly company accounts.
  • Over the course of the next 24 hours, hundreds of small transfers of 10,000, 20,000 and 200,000 $BONDLY were made to numerous wallet addresses, which we believe were owned by the Attacker. In addition to Bondly tokens, the transfers included 271,790,246 $BONDLY BSC tokens and 6,620,128 $BONDLY Polygon tokens. In our analysis, we noted that a significant portion of the fraudulently acquired tokens were sold to exchange platforms. BSCscan example.

Jul-15–2021 01:04:50 AM +UTC

Jul-15–2021 02:04:26 AM +UTC

Jul-15–2021 08:15:24 AM +UTC

  • 501 Ether, stored at the following Ethereum address, which included Bondly assets, were sent to Tornado Cash through a series of transactions by the Attacker.

Summary of Bondly’s Response

Jul-15–2021 00:50 AM +UTC

  • Bondly was notified by an emergency communication from MANTRA DAO through Telegram of the incident.

Jul-15–2021 00:51 AM +UTC

  • Bondly’s Head of Crypto, along with Bondly Co-Founder, Harry Liu, joined an emergency call with the MANTRA DAO team and were alerted to the scale of the issue.

Jul-15–2021 00:58 AM +UTC

  • Bondly’s Head of Crypto requested Brandon Smith to join the call with MANTRA DAO. On the call, Brandon was advised to immediately remove liquidity from all decentralized exchanges, as he maintained exclusive access to the majority of Bondly’s corporate wallets.These wallets included all decentralized exchange liquidity pool tokens, investment account tokens, staking reserve tokens, eco fund tokens, payroll, company reserves, all NFT wallets, and Opensea reserve.

Jul-15–2021 01:10 AM +UTC

  • Bondly’s Head of Crypto and Co-founder Harry Liu immediately began a conference call meeting to discuss the series of events. Both notified Bondly’s CTO of the attack, however he did not immediately respond because it was 4:00 AM local time.

Jul-15–2021 02:03 AM +UTC

  • Bondly’s Head of Crypto inquired with Brandon Smith to verify removal of liquidity from decentralized exchanges which had been completed and was informed that the Attacker had already compromised the LP tokens.

Jul-15–2021 03:20 AM +UTC

  • Brandon Smith posted a Twitter announcement from his personal account to inform the public about the attack and his wallet being compromised, alerting all users to stop trading.

Jul-15–2021 05:27 AM +UTC

  • Bondly announces the attack to the community on Twitter and requested the cessation of all trading. This message is then posted to Bondly’s Telegram and Discord community channels.
  • Bondly executives notified the following exchanges of the compromise and recommended that they immediately stop trading $BONDLY to protect our community and investors:
  • Uniswap
  • PancakeSwap
  • MXC (MEXC)
  • BitMart
  • Gate.io
  • Bittrex

Jul-16–2021 17:53 PM +UTC

  • Brandon Smith voluntarily takes a leave of absence to eliminate any potential conflicts of interest with the investigation. In Brandon Smith’s absence, Bondly Co-Founder, Harry Liu, assumes the role of CEO.

Jul-16–2021 12:09 AM +UTC

  • Bondly begins communications with third-party forensic firms and other organizations with compromise experience to assist with Bondly’s response strategy. This in addition to Bondly actively working with MANTRA DAO to investigate the situation as it unfolded.

Jul-17–2021 18:30 PM +UTC

KEY NEXT STEPS

Ongoing Investigation & Follow Up Postmortem

Bondly will continue to complete its internal investigation and will publish additional results in due course in a follow-up post-mortem.

Token Re-deployment

Moving forward, Bondly will launch a fully secure, multisig ERC20 contract for the revised $BONDLY currency and provide the new token to owners based upon snapshots taken prior to the incident. Additional remedies for those who purchased the token following the hack are being considered and will be detailed in future communications.

Business Continuity
Bondly will continue to focus on delivering on its vision to bring NFT technology to the masses. We have a series of announcements to follow in the coming weeks. Understandably, we anticipate a small delay to these while we focus our attention on resolving this incident to the best of our ability for our investors and community, but our milestones remain in place.

--

--

Responses (1)