Copy
Trading Bots
Events
More

Hedera Oracle Flaw Leads to $9M Bonzo Lend Hack

2026/07/16 01:47Browse 0

A $9 million decentralized finance (DeFi) hack over the weekend has been traced to an oracle flaw, with the vulnerable Hedera (HBAR) deployment left unpatched. Bonzo Lend reported that the attacker inflated collateral values to borrow far more than the assets were worth.

Oracle Vulnerability Exploited

According to Protos, the bug originated from an oracle provided by blockchain infrastructure firm Supra Network. Supra recently patched oracles on 11 chains but left the Hedera contract untouched, making it a target. Usmann Khan of Plasma noted that while Supra upgraded oracles on multiple chains, the Hedera contract used by Bonzo Lend was not addressed.

Delayed Patch and AI Claims

In a report released about 12 hours after the incident, Supra called the bug a "cryptographic edge case" but did not detail how other chain deployments were fixed. It stated it reviewed other oracle deployments sharing the same verifier pattern to ensure they had similar protections. Supra co-founder and CEO Josh Tobkin claimed an "AI-assisted hack" found what humans missed for two years.

Incomplete Coverage

On-chain analysis by HSuite founder Tomachi Anura revealed that Supra performed proxy upgrades on 11 chains from June 29 (Base) to July 3 (Polygon, now MATIC). However, Hedera and Fuse were only fixed after the attack. Anura noted that all source-verified deployments pointed to the same "SupraSValueFeedVerifier," but why fixes stopped on July 3 remains unclear.

Broader Implications

This incident underscores how oracle errors can lead to massive losses in DeFi. Oracles, which fetch external price data, are critical for lending, liquidations, and collateral valuation; even small inaccuracies can be exploited. Recent oracle manipulation cases have caused $3.5 million in losses, and a simple timing discrepancy led to $27 million in wrongful wstETH liquidations on Aave's Ethereum market. Oracle security remains vital to DeFi trust.

Disclaimer: This page may contain third-party information and does not necessarily reflect BYDFi's views or opinions. This content is for general reference only and does not constitute any representation, warranty, financial advice, or investment advice. BYDFi is not responsible for any errors, omissions, or any results arising from the use of such information. Virtual asset investments involve risks. Please carefully evaluate the risks of the product and your risk tolerance based on your financial situation. For more information, please refer to our Terms of Use and Risk Disclosure.