What is a Bonding Curve? (Types & Auditing Methodology)

Bonding curves are powerful pricing mechanisms, commonly used in token issuance, prediction markets, DAOs, and decentralized applications to determine token prices based on supply. But with great power comes many edge cases and attack surfaces.

A bonding curve is a mathematical function that defines the price of a token in relation to its supply. As tokens are bought (minted), the supply increases and the price follows the curve. When tokens are sold (burned), the price decreases accordingly.

The bonding curve is usually backed by a reserve pool (e.g., ETH, DAI), which ensures liquidity. Multiple types of bonding curves vary the token prices based on the supply and at different rates based on its design.
 

Linear Bonding Curve

Linear bonding curve is one of the simplest forms of bonding curve and have a pretty simple equation to understand.

1P(s) = a * s + b
2
3P(s): Price at token supply s
4a: Slope of the line (price increase per token)
5b: Base price of the token

In the above equation, notice how the price is directly dependent on the supply; as the supply increases, the price of the token increases as well, with the opposite true for selling as selling or burning tokens would decrease the supply and hence the price.

Let’s understand this by an example value:

• a = 0.01 (the price increment per token)
• b = 0.01 (base price of the token)

Then:

• Token 1 (s=0): P(0)= 0.01 * 0 + 0.01 = 0.01
• Token 2 (s=1): P(1) = 0.01 * 1 + 0.01 = 0.02
• Token 3 (s=2): P(2) = 0.01 * 2 + 0.01 = 0.03

As the supply of tokens increases, the price of each token increases in the same pattern.
 

Linear Bonding Curve Graph

Solidity Snippet

The function getPriceLinear is applies the linear bonding curve and returns the price of assets based on the token supply.

1function getPriceLinear(uint256 supply) public view returns (uint256) {
2    return a * supply + b;
3}

Characteristics

• Price increases at a constant rate.
• Easy to predict and reason about.
• Fair for early and late buyers, but doesn’t incentivize early adoption strongly.
   

Use Cases

• DAO fundraising (fair access)
• Simple AMMs or initial token sales

Exponential Bonding Curve

The exponential bonding curve rewards the initial buyers heavily as the price of the tokens increases at a very rapid rate as the supply of minted assets increases in the pool. It is perfect for limited mints, NFT launches, or tokens that want scarcity to reflect in price.

1P(s) = a * e ^ (b * s)
2
3P(s): Price of the next token based on current supply s
4a: Starting Price or base price (when supply is zero)
5e: Euler’s number ≈ 2.718
6b: Growth coefficient (determines how fast price increases)
7s: Current tokens supply

Directly computing e ^ (b * s) is expensive or even infeasible in Solidity or Cairo due to precision issues, a lack of floating-point support, and constant exponential math. We can apply an approximation to make the calculation; it essentially acts as a discrete version of exponential growth:

1P(s) = a * (1 + r) ^ s
2
3r ≈ small value (e.g., 0.01 or 1% growth per token)

So instead of calling exp() functions, you just multiply the base price by (1 + r)^s in fixed-point math.

Let’s understand the exponential bonding curves with an example:

• a = 1 ETH (base price)
• r = 0.01 (1% growth)
• Current Supply = 10

then, P(10) = 1 * (1 + 0.01)^10 = 1 * (1.01)^10 ≈ 1.1046 ETH

And if supply = 100, then

P(100) = 1 * (1.01)^100 ≈ 2.7048 ETH
 

Exponential Bonding Curve Graph

Solidity Snippet 

1function getPriceExponential(uint256 supply) public view returns (uint256) {
2    return a * (1 + r)**supply;
3}

Characteristics

• Price increases very fast as supply increases.
• Strong incentive for early buyers.
• Unsuitable for tokens needing frequent minting/burning.
   

Use Cases

• Strong speculation-driven tokens
• GameFi reward systems

Logarithmic Bonding Curve

The logarithmic curves follow the logarithmic equation to get to the price of an asset based on the supply. The price of tokens increases rapidly at first with the supply and then slows down as the supply grows.

1P(s) = a * ln(s + 1)
2
3P(s): Price at supply s
4a: Scaling factor (sets steepness of curve)
5ln: Natural logarithm (base e)
6s: current token supply
7s+1: To avoid log(0)

Let’s understand this by an example value:

• a = 0.01 (scaling factor for curve steepness)

Using the logarithmic bonding curve formula:

P(s) = 0.01 * ln(s + 1)

Then:

• Token 1 (s = 0): P(0) = 0.01 * ln(1) = 0.01 * 0 = 0.00
• Token 2 (s = 1): P(1) = 0.01 * ln(2) ≈ 0.01 * 0.693 = 0.00693
• Token 3 (s = 2): P(2) = 0.01 * ln(3) ≈ 0.01 * 1.098 = 0.01098
• Token 4 (s = 3): P(3) = 0.01 * ln(4) ≈ 0.01 * 1.386 = 0.01386
• Token 5 (s = 4): P(4) = 0.01 * ln(5) ≈ 0.01 * 1.609 = 0.01609

As the supply of tokens increases, the price of each token increases, but at a slowing rate. The logarithmic curve keeps early tokens cheap while still introducing gradual growth over time.
 

Logarithmic Bonding Curve Graph:

Solidity Snippet

1function getPriceLogarithmic(uint256 supply) public view returns (uint256) {
2    return a * log2(supply + 1); // approximation using log2 or log10
3}

It is important to note that solidity doesn’t natively support floating points, so logarithmic functions are approximated with math libraries like ABDKMath64x64.

Characteristics

• Price increases quickly at first, then slows down.
• It is good for bootstrapping an early user base.
• Allows a large supply at a manageable cost.
   

Use Case

• Governance tokens
• Membership tokens

Sigmoid (S-Curve) Bonding Curve

Sigmoid pricing curve is unique in its calculation when it increases the price with the supply and offers different use cases.

1P(s) = L / (1 + e ^ (-k * (s - x0)))
2
3P(s): Price at token supply s
4L: Maximum value (asymptote)
5k: Steepness
6x0: Midpoint of curve
7e: Euler’s number (≈ 2.718), base of natural log

Let’s understand this by an example value:

• L = 1 (Max Price)
• k = 0.2 (moderate steepness)
• x0 = 3 (midpoint at 10 tokens)

Using the Sigmoid Bonding Curve Formula:

P(s) = L / (1 + e ^ (-k * (s - x0)))

Then:

• Token 1 (s = 0): P(0) = 1.0 / (1 + e^(-0.2 * (0 - 3))) = 1.0 / (1 + e^0.6) ≈ 1.0 / (1 + 1.822) ≈ 0.3543
• Token 2 (s = 1): P(1) = 1.0 / (1 + e^(-0.2 * (1 - 3))) = 1.0 / (1 + e^0.4) ≈ 0.4013
• Token 3 (s = 2): P(2) = 1.0 / (1 + e^(-0.2 * (2 - 3))) = 1.0 / (1 + e^0.2) ≈ 0.4502
• Token 4 (s = 3): P(3) = 1.0 / (1 + e^(-0.2 * (3 - 3))) = 1.0 / (1 + e^0) = 1.0 / 2 = 0.5000
• Token 5 (s = 4): P(4) = 1.0 / (1 + e^(-0.2 * (4 - 3))) = 1.0 / (1 + e^-0.2) ≈ 0.5498
• Token 6 (s = 5): P(5) = 1.0 / (1 + e^(-0.2 * (5 - 3))) = 1.0 / (1 + e^-0.4) ≈ 0.5987
• Token 7 (s = 6): P(6) = 1.0 / (1 + e^(-0.2 * (6 - 3))) = 1.0 / (1 + e^-0.6) ≈ 0.6457

As the supply increases, the token price gradually rises, slow at the beginning, steeper around the midpoint (s = 3), and flattens as it approaches the price ceiling (L = 1.0). This curve is ideal for fair distribution with a soft cap on the token price.
 

Sigmoid Curve Graph

Solidity Snippet (approximated)

1function sigmoid(uint256 x) public pure returns (uint256) {
2    // Use integer approximation or external math lib
3    // Placeholder: Replace with fixed-point sigmoid
4    return L / (1 + exp(-k * (x - x0)));
5}

Like an exponential curve, a sigmoid curve needs libraries like PRBMath or ABDKMath64x64 for precision.
 

Characteristics

• Price grows slowly at first, accelerates in the middle, and then flattens.
• Best for progressive decentralization or balanced access.
• Creates strong middle-phase demand.
   

Use Cases

• Governance tokens with fair distribution
• Reputation systems
• Social tokens

Business Logic of Bonding Curves

Bonding curves are mathematical models that define the relationship between token price and supply. They are integral to various DeFi applications, including:

• Fundraising Mechanisms: Platforms like Giveth and Aragon utilize bonding curves to raise funds by issuing tokens whose prices increase with demand, aligning incentives and addressing the free-rider problem .
   
• Automated Market Makers (AMMs): Protocols such as Uniswap and Curve Finance employ bonding curves to facilitate token swaps, ensuring continuous liquidity and price discovery.
   
• Stablecoins: Some stablecoins use bonding curves to adjust token supply in response to market demand, maintaining price stability.
   
• Governance Tokens: Decentralized Autonomous Organizations (DAOs) often issue governance tokens via bonding curves, incentivizing early participation and fair distribution of voting power.
   

Common Functions in Bonding Curve Smart Contracts

Bonding curve smart contracts typically include the following functions:

• buy(): Allows users to purchase tokens by sending collateral (e.g., ETH, DAI). The function calculates the number of tokens to mint based on the bonding curve formula.
   
• sell(): Enables users to sell tokens back to the contract in exchange for collateral. The function calculates the return amount and burns the sold tokens.
   
• getPrice(): Returns the current price of a token based on the bonding curve.
   
• getReserve(): Provides the current reserve balance held by the contract.
   
• calculatePurchaseReturn() / calculateSaleReturn(): Helper functions that compute the amount of tokens to mint or collateral to return for a given transaction.
   
• setTaxRate(): (If applicable) Sets the tax rate on buy/sell transactions, directing a portion of the transaction to a treasury or other designated address.
   

Common Attack Vectors in Bonding Curves

Bonding curves encode economic logic into on-chain math. This makes them incentive-aligned, but also financially gameable. As a security auditor, here’s where attackers might target:

1. Sandwich & Front-Running Attacks

Target Surface: Public buy() / sell() functions with predictable price updates.

• Mechanism: If token prices are updated after a transaction, attackers can front-run a large buy/sell, then back-run to profit from the price shift.
• Why it works: The bonding curve doesn’t lock slippage or use amountOutMin. So, price changes between transactions are exploitable.

Mitigations:

• Use minReturn parameters.
• Use anti-MEV mechanisms (e.g., commit-reveal, batching, or delay blocks).
• Consider private orderbooks for high-value trades.
   

2. Flash Loan-Based Curve Manipulation

Target Surface: Bonding curves that update price based on liquidity or reserves.

• Mechanism: Use a flash loan to momentarily distort the bonding curve (e.g., simulate a huge buy or liquidity addition), trigger a price increase, and then unwind profitably within the same block.

Real World Example:

Pump.fun exploit where the attacker flash-loaned into the curve, manipulated price perception, and dumped.

Mitigations:

• Enforce minimum hold periods or TWAP-based pricing.
• Prevent reentrancy and intra-block price manipulations.
   

3. Whale-Induced Price Collapse

Target Surface: Linear/Exponential bonding curves with no trade caps.

• Mechanism: A whale could dump a massive amount of tokens, tanking the price curve. Then, use an alt address to scoop up cheap tokens (classic pump-dump cycle).

Mitigations:

• Use circuit breakers or transaction size caps.
• Implement a progressive tax on large sales.
• Penalize steep price-impact trades via dynamic fees.
   

4. Dust and Zero-Value Attacks

Target Surface: Edge-case math inside calculateBuyReturn() / calculateSellReturn().

• Mechanism: Calling buy/sell with 0 Or 1 wei may break assumptions, triggering division-by-zero or DoS due to assert violations or underflows in early implementations.

Mitigations:

• Always assert that amount > 0.
• Use custom error messages for invalid trades.
• Handle roundingError != 0 via precise math (e.g., FullMath, PRBMath, or mulDiv).
   

5. Curve Arithmetic Inaccuracies

Target Surface: Custom curve math (k = xy, sigmoid, exp curves).

• Mechanism: Incorrect use of pow, log, or sqrt Math may cause underflows, overflows, or rounding bugs.

Mitigations:

• Always use tested math libraries (PRBMathUD60x18, ABDKMath64x64).
• Unit test all math functions with extreme values.
• Include delta tolerance checks during audits.
   

6. Price Oracle Abuse (Hybrid Curves)

Target Surface: Bonding curves influenced by oracles (e.g., bonding against ETH/USD rate).

• Mechanism: Attackers manipulate the oracle feed (especially if it’s TWAP-based) to change minting cost or redemption rates.

Mitigations:

• Use decentralized, tamper-resistant oracles (e.g., Chainlink, Pyth).
• Enforce rate limits on how quickly prices can change.
• Cross-check Oracle data with the internal curve state.
   

7. Incomplete Tax Enforcement

Target Surface: Buy/sell functions with taxPercent or fee logic.

• Mechanism: Users find paths to bypass tax (e.g., internal transfer, redemption vs. direct sell), especially in non-standard ERC20 tokens.

Mitigations:

• Consistently apply tax logic across all entry points.
• Audit fee logic for rounding exploits or tax > 100% edge cases.
• Confirm compatibility with rebasing or non-standard tokens (e.g. stETH, cDAI).
   

8. Novel Curve Exploit (Bad Theory, Good Implementation)

Target Surface: Logic built on economic assumptions instead of secure math.

• Mechanism: When custom math works "correctly" but can be gamed due to flawed incentives.

  Example: alternating trust/distrust voting in Ethos' bonding curve to suppress price rise.

Mitigations:

• Challenge the business logic: Can attackers force abnormal price states?
• Simulate economic game theory attacks.
• Use fuzzing with economic constraints (invariant: price must rise if total buy > sell).
   

Audit Checklist for Bonding Curves

When auditing bonding curve smart contracts, consider the following points. While this checklist is a strong starting point, it is not exhaustive, as bonding curves can vary widely in design and purpose. Novel implementations may introduce custom logic, unique pricing formulas, or hybrid mechanisms. Always analyze each bonding curve in its specific business and technical context.

Precision Handling: Ensure the contract handles decimal values accurately to prevent rounding errors.

Tax Implementation: Verify that any tax mechanisms are correctly implemented and cannot be bypassed.

Zero-Value Inputs: Check how the contract handles zero-value inputs to prevent unexpected behavior.

Arithmetic Operations: Ensure that operations are ordered correctly (e.g., multiplication before division) to maintain accuracy.

Edge Case Handling: Test the contract with very large and very small input values to identify potential vulnerabilities.

Token Compatibility: Confirm that the contract interacts correctly with various ERC20 tokens, including those with non-standard implementations.

Initialization State: Review the contract's initial state to ensure it doesn't lead to unintended behavior.

Rounding Errors: Assess the potential for rounding errors and their impact on users.

Stuck Funds: Determine if there are scenarios where funds could become irretrievable within the contract.

Denial-of-Service (DoS) Risks: Evaluate the contract's resilience against DoS attacks.

Volatility Management: Analyze how the bonding curve responds to rapid price changes and whether it can be exploited.
 

Case Study: Exploiting a Novel Bonding Curve

In the Ethos Network, the bonding curve for trust and distrust votes was defined as:

1function _calcVotePrice(Market memory market, bool isPositive) private pure returns (uint256) {
2    uint256 totalVotes = market.votes[TRUST] + market.votes[DISTRUST];
3    return (market.votes[isPositive ? TRUST : DISTRUST] * market.basePrice) / totalVotes;
4}

Exploit Scenario:

An attacker alternates between buying trust and distrust votes to keep the ratio balanced, preventing significant price increases. Later, they sell all distrust votes, causing the price of trust votes to remain lower than expected, allowing them to buy back trust votes at a reduced price and profit from the manipulation.

References:

• Ethos Network Exploit Issue #19
• Ethos Network Exploit Issue #167
   

Conclusion

Bonding curves are of different types and serve different use cases across the industry. This guide covers different types of bonding curves, including Linear Bonding Curve, Exponential Bonding Curve, Logarithmic Bonding Curve, and Sigmoid (S-Curve) Bonding Curve.

It also provides a strong foundation for starting auditing these bonding curves with a separte checklist while explaining the core features of such curves. These curves can be targeted through different kinds of attack vectors, including Sandwich Attacks, Flash Loan Attacks, Curve Arithmetic Inaccuracies, and more.

At QuillAudits, with our 7+ years of experience, we hold the expertise to handle different types of codebases including those utilizing bonding curves for pricing. Our focus on securing smart contracts is backed by a Multi-Layered Auditing Framework, which helps us catch bugs effectively through our two-layer approach.