MANTRA
Published in

MANTRA

BONDLY Exploit — How it Unfolded on ZENTEREST Postmortem

Dear Sherpas,

As many of you are aware, yesterday on July 15th, 2021, a malicious actor was able to gain access to the Bondly Finance Staking Rewards wallet containing 373,088,023 $BONDLY and subsequently supplied 200,460,000 $BONDLY to borrow a large number of assets that were supplied on ZENTEREST.

To be clear, Sherpas who were supplying assets on ZENTEREST should NOT worry, as all funds will be restored. This was NOT a hack on ZENTEREST and the ZENTEREST smart contracts and code are NOT flawed nor have they been compromised.

Timeline & Technical Analysis of Events on Exploit Incident

Jul-14–2021 02:03:20 PM +UTC

Using a proxy address, the Bondly Exploiter receives ETH from Tornado Cash (a cryptocurrency mixer and privacy tool) to a wallet address; transactions are untraceable before this event.

Txn Hash: 0x1022831eaa2b9d1536c0e110eeb9061ba8c3bafb91c261fba86861d6e9a79b65 + 0x76b66c649365e176ebaf0afe89f81bc08a8dc73c8ce6dc27ad0d4aecda39abff

Receiver Address: 0x47664FA285AB01414d1C3714e6F7fe27c40591d7

Sender Address: 0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF (Tornado Cash)

Amount: 11 ETH (2 combined txns)

Time: Jul-14–2021 02:03:20 PM +UTC

Block: 12825544

Jul-14–2021 02:04:38 PM +UTC

Bondly Exploiter sends the ETH to the “Bondly Finance Exploiter” hacking address.

Txn Hash: 0xf865865dc8eeb1142def1e2c392161a11b11a85519705ca13a26890465962b25

Receiver Address: 0xc433d50dd0614c81ee314289ec82aa63710d25e8 (Bondly Finance Exploiter)

Sender Address: 0x47664fa285ab01414d1c3714e6f7fe27c40591d7

Amount: 10.948806 ETH

Block: 12825550

Jul-14–2021 02:49:37 PM +UTC

Bondly Exploiter approves zenBONDLY on ZENTEREST.

Txn Hash: 0xd63295d0a74e03fcba720d8ee49f769e5c3e40d2055755a0b92091748607f850

From: 0xc433d50dd0614c81ee314289ec82aa63710d25e8 (Bondly Finance Exploiter)

To: 0x606246e9ef6c70dcb6cee42136cd06d127e2b7c7 (Contract)

Block: 12825748

Jul-15–2021 12:16:01 AM +UTC

Bondly Exploiter transfers 373 million BONDLY to their wallet.

Txn Hash: 0xc2b339468b23cc8b98d6d4534e87d8ec3b85a0d26f8c169a22efe14d221cfaae (

Receiver Address: 0xc433d50dd0614c81ee314289ec82aa63710d25e8 (Bondly Finance Exploiter)

Sender Address: 0x6bEE9387Bb670A7f3e3b355d0389419c2aA598d1 (Bondly Token Staking Rewards)

Action: Transfer

Amount: 373,088,023

Token: $BONDLY

Block: 12828259

Jul-15–2021 12:17:49 AM +UTC

Bondly Exploiter mints zenBONDLY tokens.

Txn Hash: 0x46526cbfbb14b0bb914d35d5b0f32b0e40e9783b67c0a000e8431f698924795f

From: 0xc433d50dd0614c81ee314289ec82aa63710d25e8 (Bondly Finance Exploiter)

Amount: 20,036,019.58587687 (zenBONDLY)

Block: 12828270

Jul-15–2021 12:19:11 AM +UTC

Bondly Exploiter begins borrowing assets on ZENTEREST.

Txn Hash: 0xb97f6433276156f8c8313b8c47f8b289cf59f2b3837632d5a04a5b0c50c65fe4

From: 0xc433d50dd0614c81ee314289ec82aa63710d25e8 (Bondly Finance Exploiter)

To: 0x4f905f75f5576228ed2d0ea508fb0c32a0696090 (MANTRA DAO: zenETH Token)

Block: 12828277

Jul-15–2021 12:26:43 AM +UTC

Last of the Bondly Exploiter’s borrowing actions.

Txn Hash: 0x91ad3534fdda04e0f469eefe51cca4a241c3d96920a799f713bb8c2c79f4ae2f

From: 0xc433d50dd0614c81ee314289ec82aa63710d25e8 (Bondly Finance Exploiter)

To: 0x6a4e7daf7e1244944bda17390b1ec5f44c9df671 (MANTRA DAO: zenKYL Token)

Block: 12828308

Jul-15 2021 12:27 AM +UTC

A MANTRA DAO community member noticed that the liquidity of most major assets on ZENTEREST were reduced to 0 and informed MANTRA DAO of the issue.

Jul-15 2021 12:36 AM +UTC

The MANTRA DAO Management & Development team determined that the incident was due to malicious activity. As a response the team begins tracking the malicious wallet address and decides to pause the BONDLY market on ZENTEREST.

Jul-15 2021 12:46 AM +UTC

The MANTRA DAO Management team informed the Bondly Finance team of the incident, and after some research and discussion were able to determine that the Bondly Finance Staking Rewards Wallet had somehow been compromised and 373,088,023 BONDLY had been removed and were in the possession of the Bondly Exploiter.

Jul-15–2021 1:43 AM UTC

MANTRA DAO posted a notice in the Official Main Telegram group regarding our findings and to inform the community of the steps that had been taken.

Risk Mitigation Steps

As a first step due to the fact that the malicious actor is receiving OM rewards from borrowing assets, we will be turning off OM rewards for all ZENTEREST markets except for the OM market as we look for ways to prevent this. The OM rewards will be turned off on July 17th, at 4 AM UTC.

In addition, we will be updating the collateral factor strategy for the following assets, which are determined to pose a higher risk to ZENTEREST due to lower liquidity and market cap levels:

zenRGT, zenZLOT, zenCORN, zenDSD, zenRHEGIC, zenZHEGIC, zenKNC, zenDVG, zenROYA, ​​zenPOLS, zenRFUEL, zenMPH ,zenWHITE, zenWNXM, zenAPI3, zenBAO, zenINJ, zenBADGER, zenROOK, zenUTK, zenALPHA, zenFXF, zenKYL, zenPAID, zenENJ, zenLABS

We recognize that making adjustments to collateral factors has the potential to cause liquidations for current suppliers. With that in mind, we will be reducing collateral factors in gradual steps. Currently, all of the markets listed above have a collateral factor of 40%. The first update to be implemented will be a reduction of 5% to all the markets listed above (down to 35%), and will take place on July 19th, at 8 AM UTC. A second reduction of 5% to all those markets (down to 30%) will take place on July 26th, at 8 AM UTC.

In addition to the collateral factor revisions stated above, we will be launching a complete overhaul of collateral factors on all ZENTEREST markets over the coming weeks. Further notice for these changes will be announced prior to them being implemented.

The above changes mean that Sherpas who are currently supplying assets should reassess the health of their current borrow limits and increase their collateral before the changes are implemented in order to avoid liquidation.

In addition to the above, we will also increase the ZENTEREST listing requirements and take additional steps in analyzing the security measures of both the tokens and the projects’ teams that administer the tokens.

Future Steps and ZENTEREST v2

To further refine our vetting process, we will be making our ZENTEREST listing processes more stringent by ensuring that:

  1. All assets pass an enhanced internal security due diligence audits before being considered for listing.
  2. We will create a MANTRA Listing Committee that will need to reach a quorum to give approval for assets that are considered for listing.
  3. The assets go through a final community governance vote before the listing is made.

To ensure that an incident like this will never take place again, we will be taking some of the lessons learned in this incident to influence the design of our upcoming ZENTEREST v2.

Closing Statements

There is no doubt that this was an unprecedented incident for the Sherpa community, but the quick actions and level headedness of the team allowed for this situation to be contained to something manageable. Once again, we would like to assure everyone that all of those who were directly affected will be “made whole’’. The borrowed assets will be restored, and this restoration will take place without funding from the OM token treasury. We want to make it abundantly clear that ZERO OM tokens will be sold to cover the ZENTEREST protocol’s “bad debt” incurred from the Bondly Exploiter.

We were able to mitigate the damage by executing a liquidation event on the Bondly Exploiter’s wallet address and recovering a significant portion of the assets that were taken. While a substantial amount of assets have been taken, we will be looking to replenish the key ZENTEREST assets to their original levels prior to the incident.

We also want to address any additional concerns our Sherpas might have regarding how the exploit has affected MANTRA DAO. While the attack will inevitably compel us to make some adjustments regarding how MANTRA DAO’s assets will be allocated in the near future, the attack has in absolutely no way shape or form affected MANTRA DAO’s ability to grow and operate and to continuously work to bring our Sherpas amazing products.

We will be looking to come out of this incident stronger than ever and we look forward to some amazing updates ahead in our journey to help everyone store and grow wealth together!

Appendix I

List of tokens and token amounts that were borrowed by the Bondly Exploiter on ZENTEREST:

About MANTRA DAO

MANTRA DAO is a community-governed DeFi ecosystem focusing on staking, lending, and cross-chain DeFi products. MANTRA DAO has built a suite of DeFi services including a multi-asset staking platform, money markets lending protocol, gamified lottery pool, and stablecoin minting protocol. The suite is currently natively built on Ethereum, with cross-chain products currently on Binance Smart Chain and Polygon, and we are currently working on launching these services on Solana, HECO, and Polkadot in the near future.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MANTRA

MANTRA

3K Followers

MANTRA is a first of its kind, vertically-integrated and regulatory compliant blockchain ecosystem.