A $9 million decentralized finance (DeFi) hack over the weekend has been traced to an oracle flaw, with the vulnerable Hedera (HBAR) deployment left unpatched. Bonzo Lend reported that the attacker inflated collateral values to borrow far more than the assets were worth.
Oracle Vulnerability Exploited
According to Protos, the bug originated from an oracle provided by blockchain infrastructure firm Supra Network. Supra recently patched oracles on 11 chains but left the Hedera contract untouched, making it a target. Usmann Khan of Plasma noted that while Supra upgraded oracles on multiple chains, the Hedera contract used by Bonzo Lend was not addressed.
Delayed Patch and AI Claims
In a report released about 12 hours after the incident, Supra called the bug a "cryptographic edge case" but did not detail how other chain deployments were fixed. It stated it reviewed other oracle deployments sharing the same verifier pattern to ensure they had similar protections. Supra co-founder and CEO Josh Tobkin claimed an "AI-assisted hack" found what humans missed for two years.
Incomplete Coverage
On-chain analysis by HSuite founder Tomachi Anura revealed that Supra performed proxy upgrades on 11 chains from June 29 (Base) to July 3 (Polygon, now MATIC). However, Hedera and Fuse were only fixed after the attack. Anura noted that all source-verified deployments pointed to the same "SupraSValueFeedVerifier," but why fixes stopped on July 3 remains unclear.
Broader Implications
This incident underscores how oracle errors can lead to massive losses in DeFi. Oracles, which fetch external price data, are critical for lending, liquidations, and collateral valuation; even small inaccuracies can be exploited. Recent oracle manipulation cases have caused $3.5 million in losses, and a simple timing discrepancy led to $27 million in wrongful wstETH liquidations on Aave's Ethereum market. Oracle security remains vital to DeFi trust.